Server 2012 Essentials Active Directory users

Similar Messages

• Windows 2008 Server - Cannot run Active Directory Users and Computers

  Hi,
  I am running Windows 2008 Server with latest windows updates installed. Directory Services Role also.
  I attempt to open Active Directory Users and Computers tool and I get a;
  Microsoft Visual C++ Runtime Library error;
  "The Application has requested the runtime to terminate it in a unusual way. Please contact the application's support team for more information"
  I click ok, then get the following debug info;
  Problem signature:
  Problem Event Name: APPCRASH
  Application Name: mmc.exe
  Application Version: 6.0.6001.18000
  Application Timestamp: 47919524
  Fault Module Name: msvcrt.dll
  Fault Module Version: 7.0.6001.18000
  Fault Module Timestamp: 4791ad6b
  Exception Code: 40000015
  Exception Offset: 0000000000029b06
  OS Version: 6.0.6001.2.1.0.272.7
  Locale ID: 3081
  Additional Information 1: 43aa
  Additional Information 2: cf3a46656318492c1997480001b6b0e0
  Additional Information 3: 3837
  Additional Information 4: 92f72e0d0589ff77cef51e0a413aeff6
  Read our privacy statement:
  http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409
  If someone could please assist, it would be very much appreciated.
  Regards
  B

   
  Hi,
  To solidly troubleshoot this kind of issue, we need to debug dump file. A suggestion would be to contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
  To obtain the phone numbers for specific technology request please take a look at the web site listed below:
  http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
  However, I am also glad to share my research.
  Some third party applications may lead to this error. Please check if you install other third party applications on Windows server 2008?
  Also, please follow the article below to perform necessary steps to see how it's going?
  FIX: You receive an "invalid page fault in module MSVCRT.DLL" error message after you install the run-time libraries from Visual C++ 6.0
  http://support.microsoft.com/kb/190536/en-us
  Hope this helps.
  Best wishes
  Morgan Che

• New Server 2012 install - Active Directory not working properly

  We recently converted from 2003 to 2012. Our 2012 R2 server seems to be running fine. We did a DCPROMO on the OLD 2003 DC just fine but now there are all sorts of odd errors (Sharepoint can't authenticate users, Can't run Exchange 2013 on another 2012 server
  because it can't find AD, etc.)
  on the DC we have a Group Policy error 1096. "Group Policy Object LDAP://CN=User,cn={2B476B3E-2749-4B1B-8EC1-F5672A66F94F},cn=policies,cn=system,DC=mydom,DC=local\\mydom.local\SysVol\mydom.local\Policies\{2B476B3E-2749-4B1B-8EC1-F5672A66F94F}\User\registry.pol"
  So far I haven't found anything on how to fix this (and the AD itself.) There are some errors in the DCDIAG log, too:
        Starting test: NetLogons
           Unable to connect to the NETLOGON share! (\\ISD-DC1\netlogon)
           [ISD-DC1] An net use or LsaPolicy operation failed with error 67,
           The network name cannot be found..
  Starting test: FrsEvent
           There are warning or error events within the last 24 hours after the
           SYSVOL has been shared.  Failing SYSVOL replication problems may cause
           Group Policy problems.
  Any suggestions how we can fix these errors are greatly appreciated!

  Hi,
  Did you migrate the Active Directory from Windows server 2003 to Windows server 2012?
  Please refer to this article:
  https://blogs.technet.com/b/canitpro/archive/2013/05/27/step-by-step-active-directory-migration-from-windows-server-2003-to-windows-server-2012.aspx
  Regards.
  Vivian Wang

• SBS 2008 to Server 2012 R2 Active Directory Migration

  Is there a tool that i can use to migrate Active Directory from SBS 2008 to Server 2012 R2?

  There is no special tool for your situation. While there is a tool called ADMT that you may see mentioned if you search enough, it isn't really well suited for what you want.
  With that said, there is also no *need* for a tool as I've already said. Nor do you need to recreate the users and have mismatched SIDs. You will add the 2012 machine to your existing domain and make it a domain controller. Yes, that means you will have
  two DCs (for a time.)  This is how larger organizations handle multiple DCs all the time, and they obviously don't go and create the same user on each DC. That is where the domain replication comes in.  Your new server will be a DC and will replicate
  all of the users *and* SIDs from the existing SBS server. 
  Then, when you are ready, you decommission the SBS 2008 server gracefully and the new 2012 server becomes your sole DC, but has AD completely intact. It is a tried and true practice, both within and outside of the SBS world, and has been done many many times.

• Upgrade from Windows Server 2012 Active Directory to Windows Server 2012 R2 Active Directory

  We are currently running Windows Server 2012 Active Directory and would like to upgrade to Windows Server 2012 R2 AD. Is it OK to just do an in-place upgrade, or is it advisable to build new domain controllers on R2? Are there any guides or articles anyone
  can recommend?

  Hi Ginandtonic,
  To upgrade DC(Domain Controller) from windows server 2012 to windows server 2012 r2, please refer to these articles:
  Upgrade from windows Server 2012 to 2012 R2                                 
  Upgrade Active Directory from 2012 to 2012 R2
  I hope this helps.
  Best Regards,
  Anna

• Server 2012 restrict active directory dynamic ports

  Hello,
  Has anyone encountered issues with restricting the Active Directory dynamic ports for Netlogon and NTDS in Server 2012?  I have followed the added the typical registry entries as described below but I still see my RDS gateway in the DMZ trying to communicate
  to my internal DC over other ephemeral ports (49158).  I have rebooted the DC after the registry changes and still no effect.  Are the reg entries the same in 2012?  Any help would be appreciated.  Thank you
  Registry key 1 
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters 
  Registry value: TCP/IP Port 
  Value type: REG_DWORD 
  Value data: 49152 (This value needs to be specified in decimal format)
  Registry key 2 
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters 
  Registry value: DCTcpipPort 
  Value type: REG_DWORD 
  Value data: 49153 (This value needs to be specified in decimal format)
  Eddie Espino | Secure Data Solutions | Miami, Florida | Microsoft Partner

  Hi,
  There are at least two options that can be used to allow replication when there are network traffic filters (aka firewall) in the network, across two DCs:
  1. Use registry keys on the DCs to force communication over specific ports
  2. Use IPsec to restrict the traffic to two ports only (IP 50 and IP 51)
  I tried to find some relevant documents, but could not find support for restricting the Active Directory dynamic ports for Netlogon and NTDS in Server 2012. You could refer to the following article, it may help you to solve your issues:
  Restricting AD Replication Traffic between DCs to only a few ports
  http://blogs.technet.com/b/luistog/archive/2012/05/08/restricting-ad-replication-traffic-between-dcs-to-only-a-few-ports.aspx
  Regards,
  Mandy Ye

• Server 2012 R2 Active Directory delegation and access

  May be a simple question...
  In my company I have installed a backup domain controller on hyper-v for IT administration. All I want the IT admin guy to do is create users, modify their password and join clients to domain. He should not be allowed to change group memberships, or tweak
  group policies. 
  I understand the delegation process - using the wizard I assigned the tasks create/delete/change password and join domain. Als created a policy that allows IT admins to login to this backup domain controller. 
  However since the IT admins are just domain users, they are unable to open dsa.msc without providing a admin password. If i make the users Member of "Account Manager" then they are able to open the dsa after providing credential but can also change
  the group permissions. 
  How can I implement this lock down in my environment?

  Thank you so much guys. So I demoted the computer, and installed RSAT. Now the IT Managers can log onto the machine. Although had to maually set the delegation permissions (The wizard kept giving full rights on a particular condition, will discuss more on
  this when i find out whats happening)
  I have another problem though .. 
  So we have an OU: Employees, Inside the OU: I have created many template user accounts, such as Sales.Test, Service.Test, etc. 
  The idea is to allow IT admins to create new users by copying these templates, so that proper group association are set. However, since, I have not allowed the IT admins to change group associations, the copying fails in the end with error: cannot add user
  xxx to group yyy. 
  Any suggestions?
  -- The groups are in a seperate OU, it will be also be okay if the IT admins can change associations for selected. groups.. 
  Why don't you simply use the Powershell method I already shared in the Wiki? That way, you should not be facing these problems.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• What do I need to do to enable Active Directory users to authenticate to AFP shares in 10.8 server?

  We recently upgraded from 10.6 server to 10.8 server and are having trouble with AFP shares and Active Directory.  We have shares on each of our OS X servers that should be mountable by any Active Directory user at the site the server resides.  In 10.6, this worked beautifully.  Simply adding the appropriate AD groups with appropriate permissions to the ACL of the folder(s) being shared worked without a hitch.  In 10.8 server, this is not working.  Permissions are defined correctly (as far as I can tell), the server is bound to AD, but yet no AD user who should have access can mount the share.  When attempting to mount the share on a 10.6 client, the user gets the short and simple "You entered an invalid username or password.  Please try again."  On a 10.7 client, the window shakes. 
  What confuses me even more is that no local users can mount the share as well.  I try as our admin account, I receive the following error message on our 10.6 clients:
  Actually, as I was forumulating this post, logging in as the server administrator account is now working...???!!!
  This was the error message we were receiving on 10.7 clients before it magically started working:
  In any case, authenticating as an AD user is still no go.  Any ideas?

  I had something similar to this. In the name field put in DOMAIN\username rather than just the name.

• Not able to open active directory user and computer in windows server 2008r2

  Hi All techies,
  i would like to know one issue which i am facing mostly, i have created 5 virtual machine all with window server2008r2 and one windows 7 on vm-ware now when ever i start my virtual machines everything going rite but when i try to open active directory user/
  computer or domain and trust i get a following error "data from active directory user and computers is not available from dc(null) bcoz unspecified error" even when i chk in events log its give me no help, and after 15-30 min everything works good
  Please let me know the cause of it and really appreciate it .
  Thanks
  Atul

  You need to ensure that
  1. group policy that says "wait for network before logon" is applied to all computers including servers and workstations is applied
  2. DNS record exists for all DCs in DNS
  3. If there are multiple Domain Controllers in Forests, then they point them as secondary DNS server. This way they will be able to resolve IPs if local DNS server service takes time to start.
  As Chris mentioned, you need to start all DCs first, give a time of 5 minutes and then start member servers and workstations for successful logon.
  - Sarvesh Goel - Enterprise Messaging Administrator

• Active directory users and computers wont start on a dc, "the server is not operational"

  In our environment, we have 3 dc's 
  two which run server 2008 (they work perfectly)
  and one never off branch dc that runs server 2008 r2.
  We have been having some problems where we feel the replication isnt up too speed(stuff could take up to 24 hours to replicate) and now when i tried opening active directory users and computers i am met with this error window:
  We have a third party DNS solution.
  How do i troubleshoot this issue?

  dc01 (which replicates perfectly with dc02, and vise versa)
  dcdiag /test:dns
  C:\Users\adminuser>dcdiag /test:dns
  Domain Controller Diagnosis
  Performing initial setup:
  Done gathering initial info.
  Doing initial required tests
  Testing server: Hostingpartner\ourdc01
  Starting test: Connectivity
  ......................... ourDC01 passed test Connectivity
  Doing primary tests
  Testing server: Hostingpartner\ourdc01
  DNS Tests are running and not hung. Please wait a few minutes...
  Running partition tests on : ForestDnsZones
  Running partition tests on : DomainDnsZones
  Running partition tests on : Schema
  Running partition tests on : Configuration
  Running partition tests on : int
  Running enterprise tests on : int.domain.com
  Starting test: DNS
  Test results for domain controllers:
  DC: ourdc01.int.domain.com
  Domain: int.domain.com
  TEST: Delegations (Del)
  Error: DNS server: ourdc02.int.domain.com. IP:xx.xx.xx.32 [Broken delegated domain domaindnszones.int.domain.com.]
  Error: DNS server: ourdc02.int.domain.com. IP:xx.xx.xx.32 [Broken delegated domain forestdnszones.int.domain.com.]
  Summary of test results for DNS servers used by the above domain controllers:
  DNS server: xx.xx.xx.32 (ourdc02.int.domain.com.)
  2 test failures on this DNS server
  Delegation is broken for the domain domaindnszones.int.domain.com. on the DNS server xx.xx.xx.32
  Delegation is broken for the domain forestdnszones.int.domain.com. on the DNS server xx.xx.xx.32
  Summary of DNS test results:
  Auth Basc Forw Del Dyn RReg Ext
  Domain: int.domain.com
  ourdc01 PASS PASS PASS FAIL n/a PASS n/a
  ......................... int.domain.com failed test DNS
  dcdiag on dc01(which can replicate with dc02)
  C:\Users\adminuser>dcdiag
  Domain Controller Diagnosis
  Performing initial setup:
  Done gathering initial info.
  Doing initial required tests
  Testing server: hostingpartner\ourdc01
  Starting test: Connectivity
  ......................... OURDC01 passed test Connectivity
  Doing primary tests
  Testing server: hostingpartner\ourdc01
  Starting test: Replications
  [Replications Check,OURDC01] DsReplicaGetInfoW(PENDING_OPS) failed with error 8453,
  Win32 Error 8453.
  ......................... OURDC01 failed test Replications
  Starting test: NCSecDesc
  ......................... OURDC01 passed test NCSecDesc
  Starting test: NetLogons
  [OURDC01] User credentials does not have permission to perform this operation.
  The account used for this test must have network logon privileges
  for this machine's domain.
  ......................... OURDC01 failed test NetLogons
  Starting test: Advertising
  ......................... OURDC01 passed test Advertising
  Starting test: KnowsOfRoleHolders
  ......................... OURDC01 passed test KnowsOfRoleHolders
  Starting test: RidManager
  ......................... OURDC01 passed test RidManager
  Starting test: MachineAccount
  ......................... OURDC01 passed test MachineAccount
  Starting test: Services
  ......................... OURDC01 passed test Services
  Starting test: ObjectsReplicated
  ......................... OURDC01 passed test ObjectsReplicated
  Starting test: frssysvol
  ......................... OURDC01 passed test frssysvol
  Starting test: frsevent
  ......................... OURDC01 passed test frsevent
  Starting test: kccevent
  ......................... OURDC01 passed test kccevent
  Starting test: systemlog
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:04:29
  (Event String could not be retrieved)
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:04:50
  (Event String could not be retrieved)
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:10:56
  (Event String could not be retrieved)
  An Error Event occured. EventID: 0xC0002719
  Time Generated: 04/04/2013 15:11:17
  (Event String could not be retrieved)
  ......................... OURDC01 failed test systemlog
  Starting test: VerifyReferences
  ......................... OURDC01 passed test VerifyReferences
  Running partition tests on : ForestDnsZones
  Starting test: CrossRefValidation
  ......................... ForestDnsZones passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... ForestDnsZones passed test CheckSDRefDom
  Running partition tests on : DomainDnsZones
  Starting test: CrossRefValidation
  ......................... DomainDnsZones passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... DomainDnsZones passed test CheckSDRefDom
  Running partition tests on : Schema
  Starting test: CrossRefValidation
  ......................... Schema passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... Schema passed test CheckSDRefDom
  Running partition tests on : Configuration
  Starting test: CrossRefValidation
  ......................... Configuration passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... Configuration passed test CheckSDRefDom
  Running partition tests on : int
  Starting test: CrossRefValidation
  ......................... int passed test CrossRefValidation
  Starting test: CheckSDRefDom
  ......................... int passed test CheckSDRefDom
  Running enterprise tests on : int.domain.com
  Starting test: Intersite
  ......................... int.domain.com passed test Intersite
  Starting test: FsmoCheck
  ......................... int.domain.com passed test FsmoCheck
  The problematic dc03:
  Dcdiag gives the same output as dcdiag /test:dns
  C:\Users\adminuser>dcdiag
  Directory Server Diagnosis
  Performing initial setup:
  Trying to find home server...
  Home Server = OURDC03
  Ldap search capabality attribute search failed on server NTSDC03, return
  value = 81
  We have an infoblox dns server on ip address xxx.y.y.251.
  first error in event logs on dc03:
  error 1863
  This is the replication status for the following directory partition on this directory server.
  Directory partition:
  CN=Configuration,DC=int,DC=domain,DC=com
  This directory server has not received replication information from a number of directory servers within the configured latency interval.
  Latency Interval (Hours):
  24
  Number of directory servers in all sites:
  2
  Number of directory servers in this site:
  2
  The latency interval can be modified with the following registry key.
  Registry Key:
  HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours)
  To identify the directory servers by name, use the dcdiag.exe tool.
  You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
  i have also go several warning 2088, 2093, 2087.
  And errors 1863 pointing to different directory partitions like schema/configuration/domaindnszones/forestdnszones

• Server 2012 Essentials - very slow to add new user

  Eight month old Dell PowerEdge R320 rackmount server, running Windows Server 2012 Essentials. XEON E5-2400 processor, 16 GB RAM, 6 TB of SATA disks( RAID-1).  "Shared resources' on this server are not all that extensive since there are only six
  'shared folders' on this server ... And for certain I am NOT any sort of 'guru' as it would pertain to Windows Server 2012 Essentials, but it seems to me that the fact it takes over 35 minutes to add a single
  new user to this server is a bit "unusual", to say the least... As I mentioned, there are only six "shared resource" folders on this server being served from the "DATA" disk that users can access with R/W rights, and all other
  resources on this server are marked as 'no access' for our twelve (now thirteen) users.  Does this not seem to be an inordinately long time to add a single new user..?  I have just checked and found a few updates (maybe five) that were 'pending'
  a reboot (which it is doing now, as I write this), and I will try adding a new user as a 'test' after this reboot, but - am I wrong?  Doesn't this seem to be an extremely long time just to add a single new user..?

  Hi,
  Thanks for your post.
  Please wait for the update installed and reboot, then try to add user to check the result.
  Adding a new user did not need much time generally.
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Setting disk quota on Mac server for Active Directory users

  I'm having trouble setting disk quotas for Active Directory users with home folders on our Mac server.
  I've enabled disk quotas on the disk I'm putting home folders on, and I can set disk quotas for local users on the server just fine. But it doesn't seem to work for Active Directory users. I've tried setting disk quotas via Workgroup Manager and via the command line using edquota. But when I use the repquota command there is no quota entry for the AD user. I've run quotacheck and that didn't help either.
  I also understand there's a setquota command but there's no man page on how that works.
  Has anyone got disk quota for AD users working.
  Better still has someone got a shell or perl script for setting quotas they could post.
  Thanks
  - Cameron

  sorry.. I am soooooo stupid... I have to activate "File Sharing" as well.. for the user everything was already pre-activated, not for the AD users, I just saw the Time Machine checkbox grayed out ...

• Report on Active Directory User Attributes in SCCM 2012

  I need to output a list of all users in a collection, along with certain user attributes from Active Directory. I can get part of what I need with the following query:
  SELECT v_FullCollectionMembership.ResourceID,
  v_R_User.Windows_NT_Domain0,
  v_R_User.Distinguished_Name0,
  v_R_User.Full_User_Name0,
  v_R_User.Mail0,
  v_R_User.User_Name0
  FROM v_FullCollectionMembership, v_R_User
  WHERE v_FullCollectionMembership.ResourceID = v_R_User.ResourceID
  AND v_FullCollectionMembership.CollectionID = 'SMS00002'
  If possible I need to add:
  Last logon timestamp
  User account status (enabled or disabled)
  I have added "lastLogon" and "lastLogonTimestamp" as additional attributesunder Active Directory User Discovery. This discovery method is enabled and I have run a full discovery about a month ago, and again today. I read in
  another thread that these attributes should appear in the table v_R_User, however they have not. Is v_R_User the right place to look for this or is there another view or table I can query?
  Once I have the above sorted out, how can I find the user account status in SCCM? I have done reports in the past directly from AD and used the 'useraccountcontrol' attribute and I noticed there is a column named 'User_Account_Control0' in v_R_User, however
  the values do not match those found in Active Directory.
  Thanks.

  Have you checked the attribute from the Active Directory in decimal format? Check that and compare it to the value ConfigMgr has stored in its 'User_Account_Control0'...
  User Account Control tells you multiple things of the account, for example does the account have "Smart card login required" -option checked from the account properties.
  The tricky part here is to actually get the report show you what you really want, because "useraccountcontrol" -attribute is a numeric value, you have to calculate what decimal combination means what in readable text.
  More info on the attribute can be found from here
  http://support.microsoft.com/kb/305144 and from there you can also find the values for different settings. For example:
  account is enabled = 512
  account is disabled = 514
  account is enabled with smart card = 262656

• Boot up of Windows Server 2012 Essentials seems slow (extended Please Wait screen) and there are errors in Health Report

  Dear Sir or Madam,
  I have been experimenting with the evaluation version of WS2012e trying to get the installation and subsequent build into an optimal set up, and once I have everything I want it to do mapped out, I'll set it up with the full version with using the key that
  I bought.
  However, I've noticed that the server seems to experience a delay during cold boot - it sits with a Please Wait screen for about 60-90 seconds before it presents the screen with an option to Log on.  I have also discovered from running Health
  Report, that there are some entries in the event logs which appear to coincide with start up times, and which seem to be interconnected to each other in the issues they are describing, and I have copied an example of one of those health reports below. 
  I assume that everything sorts itself out in due course, because the events say the process will be re-attempted and these errors don't repeat again after the system has booted up.  I also have the server set to suspend when not in use with the Lights
  Out add in, so it shouldn't need to cold boot often - but I wondered if there's a way to correct these errors so that they don't hold up the boot up process?  I'm also concerned that these errors will cause me later problems with storage pools and
  the like at a later date - the disk replication one seems particularly worrying.  Alternatively, are these errors just a normal part of the start up process - the timing of when different processes start relative to each other - and can be safely ignored?
  In trying to understand what the events describe, I thought that WE2012e acted as its own Domain Controller, and yet it seems from the event log entries that it is waiting for another server to respond to AD / DC requests (but there isn't another server
  on my home network).  The other thing I remember from when I first tried out WS2012e, is that it took control of DHCP or DNS from the router, and I found that frustrating when waking up my laptop and it wouldn't connect to the internet until the server
  had fully booted up and re-asserted its network settings.  Is this another symptom of the same problem?  I remember seeing a posting at the SBS Diva's site about how to update the server so that it gave connected PCs a backup option for connecting
  to the internet when the server wasn't available, and was going to try to find that again to see if that helped.
  By way of background - there isn't another server in my home network.  This is an attempt to do a clean install onto the same hardware that I ran the initial trial of WS2012e, now that the trial has expired, so I'm not trying to migrate from an existing
  server.  I moved all the data on the trial server off onto an external disk, with the intention of importing it back once I had the Storage Pools set up the way I wanted on the new build, and since I didn't want to keep anything else about the server
  trial.  Am I correct in thinking that I don't need to go down the Migration route during installation, and can go through a Clean install in this circumstance? 
  I'm running on an Asus P8-H77-i motherboard, with an i5-3470s CPU and 16MB RAM, and I have WS2012e installed on 256Mb SSD formatted under GPT with uEFI boot - the latter being the main reason for the reinstall, instead of just giving the Evaluation
  version the new key on the original MBR set up.  I've also enabled Intel Rapid Storage and Rapid Start - and successfully set aside the hibernate partition on the SSD - but discovered that this is about forcing a hibernate after suspend, allowing
  the system to power down until its needed again, and then resuming from hibernate on the SSD rather than cold boot each time.  That seems to work, but doesn't improve the cold boot times at all, which was what I was hoping for - ideally the way my
  laptop will boot from cold in a few seconds into Windows 8. 
  Yours faithfully,
  Avon
  ======
  Health Report extract.
  Critical Errors in Event Logs in Last 24 Hours
   DFSR
  Event ID: 3221226674
  The DFS Replication service failed to contact domain controller  to access
  configuration information. Replication is stopped. The service will try again
  during the next configuration polling cycle, which will occur in 60 minutes.
  This event can be caused by TCP/IP connectivity, firewall, Active Directory
  Domain Services, or DNS issues.
  Additional Information:
  Error: 160 (One or more arguments are not correct.)
  Last occurrence: 26 May 2014 18:51:28
  Total occurrence(s): 2
   DNS
  Event ID: 2147487661
  The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS
  data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet
  Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
  Last occurrence: 26 May 2014 18:51:15
  Total occurrence(s): 2
   ADWS
  Event ID: 3221226674
  This computer is now hosting the specified directory instance, but Active Directory Web Services could not service it. Active Directory Web Services will retry this operation periodically.
  Last occurrence: 26 May 2014 18:51:08
  Total occurrence(s): 2
   NTDS General
  Event ID: 2147486534
  The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate,
  Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that
  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds,
  configuring the server to reject them will improve the security of this server.
  Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection,
  and will stop working if this configuration change is made.  To assist in identifying these clients, if such binds occur this
  directory server will log a summary event once every 24 hours indicating how many such binds
  occurred.  You are encouraged to configure those clients to not use such binds.  Once no such events are observed
  for an extended period, it is recommended that you configure the server to reject such binds.
  For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
  You can enable additional logging to log an event each time a client makes such a bind, including
  information on which client made the bind.  To do so, please raise the setting for the "LDAP Interface Events" event logging category
  to level 2 or higher.
  Last occurrence: 26 May 2014 18:51:00
  Total occurrence(s): 2
  =======

  Hi KerguelanAvon,
  Based on your description, it seems to be hard to narrow down the cause of this issue. Please refer to following operations and monitor the result. It may help us to go further, and then solve this issue.
  1. Please refer to the following article and troubleshoot slow boot.
  New Slow Logon, Slow Boot Troubleshooting Content
  2. On your server 2012 essentials, please start a BPA scan and fix all that it can find, then monitor the result.
  Regarding to those critical Errors in Health Report, please perform
  Dcdiag on the server. Meanwhile, please refer to the following article and troubleshoot network connectivity, firewall setting and AD DS issue.
  DFSR Event 1202 (DFS Replication)
  Hope this helps.
  Best regards,
  Justin Gu
  Hi Justin,
  I'm reading through the links you referred me to but it's taking a while.  In the meantime I tried running BPA as you suggested.  I'm sure when I ran it before, it didn't say much beyond 81 checks completed, and I couldn't find a way to get any
  more detail.
  Now it says
  Problem:
  The DNS client is not configured to point only to the internal IP address of the server.
  Impact:
  If the DNS client is not configured to point only to the internal IP address of the server, DNS name resolution can fail.
  Resolution:
  To resolve this problem:
  1. From the client computer, open the Properties page for the network connection.
  2. Make sure that DNS is configured to point only to the internal IP address of the server.
  Except that it is.
  Connection-specific DNS Suffix:
  Description: Broadcom 802.11n Network Adapter
  Physical Address: ‎00-1B-B1-28-AE-63
  DHCP Enabled: Yes
  IPv4 Address: 192.168.1.133
  IPv4 Subnet Mask: 255.255.255.0
  Lease Obtained: 03 June 2014 21:56:49
  Lease Expires: 05 June 2014 20:24:20
  IPv4 Default Gateway: 192.168.1.1
  IPv4 DHCP Server: 192.168.1.1
  IPv4 DNS Server: 192.168.1.49
  IPv4 WINS Server:
  NetBIOS over Tcpip Enabled: Yes
  Link-local IPv6 Address: fe80::80ef:48d5:9fde:f10e%14
  IPv6 Default Gateway:
  IPv6 DNS Server:
  I'll try rebooting from the current windows 7 build over to windows 8 on my dual boot laptop, to see if that makes any difference, since it is the only other client PC connected to the server at the moment.
  Thanks, Avon.

• Hide all except one object in Active Directory Users and Computers.

  Hello,
  I have a question.. I need to allow to one group of "administrators" creating users in one OU and adding computers to the domain, nothing else. I allowed them to log on DC using the GPO "Allow log on locally", because I don't want to give
  them administrator rights, I allowed them to do these operations on one OU through delegation wizard and now I need to make all OUs, groups etc. invisible to them except this OU. What is the best way how to achieve this? Thank you...
  d.

  I would disable the ability to allow them to login. I suggest to create a Computers OU that you can delegate to the "admins" to add computers, and don't use the default Computers container.
  I assume the admins are using Windows 7 or newer. You can customize an RSAT installation to just provide the ADAC.
  Description of Remote Server Administration Tools for Windows 7:
  http://support.microsoft.com/default.aspx/kb/958830
  Remote Server Administration Tools for Windows 7:
  http://technet.microsoft.com/en-us/library/ee449475(WS.10).aspx
  Remote Server Administration Tools for Windows 7
  http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en
  Customizing - Installing Remote Server Administration Tools (RSAT) for Windows 7
  http://www.petri.co.il/remote-server-administration-tools-for-windows-7.htm
  Or if you want to chop it down and control it further, create a custom ADUC with just that OU you've delegated. I've done this in the past and worked fine for my customer:
  Delegate an Organizational Unit (OU) in Active Directory Users and Computers (ADUC), then create a custom MMC or customized RSAT
  http://blogs.msmvps.com/acefekay/2014/09/04/delegate-an-organizational-unit-ou-in-active-directory-users-and-computers-aduc-then-create-a-custom-mmc-or-customized-rsat/
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.