Unable to find Active Directory Domain Groups via /_vti_bin/UserGroup.asmx GetRoleCollectionFromGroup

Similar Messages

• Forest trust unable to find Active Directory Domain Controller

  I have two domains with a two-way forest trust. We'll call them ForestA and ForestB. They're on seperate subnets. ForestA's DCs are in one physical location. ForestB's DCs are in two locations, one of which is shared with A.
  I'm unable to route traffic directly from the remote DC in ForestB to the subnet ForestA is on, so I created a new DC in ForestA that sits on the subnet ForestB uses (basically, I can't route between subnets via the wireless bridge between locations, but
  can within the same location).
  I found this: http://www.neomagick.net/zen/2008/11/30/using-dns-to-force-a-domain-trust-through-a-specific-domain-controller-dc/
  I followed the instructions to set the new DC in forest A to be the only one the remote DC in forest B was aware of.
  Nslookup ForestA.com resolves correctly to this DC, but I'm unable to validate the trust relationship, getting the error:
  "Windows cannot find an Active Directory Domain Controller for the ForestA.com domain. Verify that an AD DC is available and then try again."
  I'd appreciate any help.

  In the event viewer, have you found any event id's that corrospond with this error? Have you ensured all ports required are open? Windows firewall is correctly setup? NIC is properly configured?
  Statement below taken from: http://technet.microsoft.com/en-us/library/cc961803.aspx
  If you receive the following error, ERROR_NO_LOGON_SERVERS while using the Nltest tool to query the secure channel, this is usually indicative of the inability to find a domain controller for that domain. Run nltest /dsgetdc: < DomainName > : to verify
  whether you can locate a domain controller. If you are unable to find a domain controller examine DNS registrations and network connectivity.
  ADDS Ports:
  http://msdn.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

• How to find the SQL Server Instances running across the given activer directory domain?

  How to find the SQL Server Instances running across the given activer directory domain?
  I have though of OSQL -L , Microsoft Assessment and Planning ( MAP ) tool and SQLPing3 (SQLSecurity) might help me.
  I would appreciate if there any other way of finding the SQL Servers / Instances running across the given active directory domain.
  Sivaprasad S
  http://sivasql.blogspot.com
  Please click the Mark as Answer button if a post solves your problem!

  Dear ,
  Very simple u find all instances through the customized sp which is get all details about inventory. Like i put the sp bellow. This is without any tool. 
  USE [master]
  GO
  /****** Object:  StoredProcedure [dbo].[DBStatus]    Script Date: 08-01-2015 19:46:11 By Damodar Patle Sr. DBA Mumbai India ******/
  SET ANSI_NULLS ON
  GO
  SET QUOTED_IDENTIFIER ON
  GO
  ALTER PROCEDURE [dbo].[DBStatus] 
  AS
  SELECT 
  SERVERPROPERTY('servername') AS ServerName,
  ConnectionProperty('local_net_address') AS 'local_net_address',
  ConnectionProperty('local_tcp_port') AS 'local_tcp_port',
  CONVERT(VARCHAR(25), @@VERSION) as  VERSIONSQL,
  SERVERPROPERTY('ErrorLogFileName') AS ErrorLogFilePath,
  database_id,
  CONVERT(VARCHAR(25), DB.name) AS DBName,
  CONVERT(VARCHAR(10), DATABASEPROPERTYEX(name, 'status')) AS [Status],
  CONVERT(VARCHAR(10), DATABASEPROPERTYEX(name, 'Recovery')) AS [Recovery_Model],
  create_date as DBCreate_Date, --physical_device_name,
   (SELECT COUNT(1) FROM sys.master_files WHERE DB_NAME(database_id) = DB.name AND type_desc = 'rows') AS DataFiles,
   (SELECT SUM((size*8)/1024) FROM sys.master_files WHERE DB_NAME(database_id) = DB.name AND type_desc = 'rows') AS [Data MB],
   (SELECT COUNT(1) FROM sys.master_files WHERE DB_NAME(database_id) = DB.name AND type_desc = 'log') AS LogFiles,
   (SELECT SUM((size*8)/1024) FROM sys.master_files WHERE DB_NAME(database_id) = DB.name AND type_desc = 'log') AS [Log MB],
   (SELECT physical_name FROM sys.master_files WHERE DB_NAME(database_id) = DB.name AND type_desc = 'rows') AS MDF_File_Location,
   (SELECT physical_name FROM sys.master_files WHERE DB_NAME(database_id) = DB.name AND type_desc = 'log') AS  LDF_File_Location,
     user_access_desc
     FROM sys.databases DB
     ORDER BY dbName, [Log MB] DESC, NAME

• Cannot Print. "The Active Directory Domain Services is currently unavailable"

  Hi there
  I cannot print and I have not been able to find the fix via existing forum threads.
  System: 
  Win 7 Ultimate 64 bit German - Profile language is Danish (installed a week ago and completely windows updated)
  Office 365 Small Business Premium
  HP DV8 Laptop. i7, 512GB SSD, 8GB RAM
  HP LaserJet P1006 USB printer.
  Problem
  No matter if I try to print from IE, Notebook, Word 2013 or anything else, I cannot chose my printer (P1006).
  If I try to Add Printer in Word 2013, I get the "The Active Directory Domain Services is currently unavailable" error. 
  In Devices and Printers, the P1006 is visible, but there is no driver installed.
  Trying to install the correct driver: 
  http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareIndex.jsp?lang=en&cc=us&prodNameId=3435683&prodTypeId=18972&prodSeriesId=3435682&swLang=8&taskId=135&swEnvOID=4063
  only creates a general error during installation: "Printer  Software Installer has stopped working - A problem has caused the program to stop working correctly. Windows closes the program and will notify you if a solution has been found"
  I have tried all the solution software from Windows, from HP (for the laptop and for the printer) - but nothing comes up with any details or suggestions. 
  What should I try?
  Absolutely everything else works perfectly on the system. 
  Reffered here via http://answers.microsoft.com/en-us/windows/forum/windows_7-hardware/cannot-print-the-active-directory-domain-services/1cf47626-a2cd-4b7a-94b6-10cbc8ab02b0

  Hi,
  I suggest you try the following:
  1. Try the steps in the following article:
  Troubleshoot printer problems
  http://windows.microsoft.com/en-US/windows-vista/Troubleshoot-printer-problems
  Fix printing problems by resetting the print spooler
  http://support.microsoft.com/kb/2000007
  2. Let us try updating the printer driver which might help you in resolving the issue.
  Click on the link below for more information on updating the printer drivers.
  Find and install printer drivers
  http://windows.microsoft.com/en-US/windows-vista/Find-and-install-printer-drivers
  3. Remove the printer and add it again:
    Go to Control Panel
    Select Printers
    Right-click on Add Printer
    Select Run as Administrator
  Now try to add your network printer
  Also a thread for your reference:
  Error message when attempting to print: Active Directory Domain Service is Currently Unavailable 
  http://social.technet.microsoft.com/Forums/en-US/winserverprint/thread/d6212275-24d6-4168-830a-9441f861cb76
  Hope this helps.
  Vincent Wang
  TechNet Community Support

• Active Directory Domain Services crash after Administrator renames object in Active Directory Users and Computers

  Hello.
  We have two domain controllers - node1 (Windows 2008 R2) and node2 (Windows 2012 R2). When administrator connects to node2 and tries to rename some object in AD (for example, user) AD Domain Services crashes and reboot server after 60 seconds.
  In Events I can see these messages:
  Log Name:      Directory Service
  Source:        Microsoft-Windows-ActiveDirectory_DomainService
  Date:          04.03.2014 12:37:58
  Event ID:      1173
  Task Category: Internal Processing
  Level:         Warning
  Keywords:      Classic
  User:          domain\admin
  Computer:      NODE2.domain.example
  Description:
  Internal event: Active Directory Domain Services has encountered the following exception and associated parameters.
  Exception:
  c0000005
  Parameter:
  0
  Additional Data
  Error value:
  7ffc7c38e45d
  Internal ID:
  0
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
      <EventID Qualifiers="32768">1173</EventID>
      <Version>0</Version>
      <Level>3</Level>
      <Task>9</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8080000000000000</Keywords>
      <TimeCreated SystemTime="2014-03-04T06:37:58.116264800Z" />
      <EventRecordID>881</EventRecordID>
      <Correlation />
      <Execution ProcessID="572" ThreadID="2580" />
      <Channel>Directory Service</Channel>
      <Computer>NODE2.domain.example</Computer>
      <Security UserID="S-1-5-21-3794920928-4165619442-305938157-2047" />
    </System>
    <EventData>
      <Data>c0000005</Data>
      <Data>7ffc7c38e45d</Data>
      <Data>0</Data>
      <Data>0</Data>
    </EventData>
  </Event>
  Log Name:      Application
  Source:        Microsoft-Windows-Wininit
  Date:          04.03.2014 12:37:58
  Event ID:      1015
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      NODE2.domain.example
  Description:
  A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005.  The machine must now be restarted.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
      <EventID Qualifiers="49152">1015</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
      <EventRecordID>189578</EventRecordID>
      <Correlation />
      <Execution ProcessID="0" ThreadID="0" />
      <Channel>Application</Channel>
      <Computer>NODE2.domain.example</Computer>
      <Security />
    </System>
    <EventData>
      <Data>C:\Windows\system32\lsass.exe</Data>
      <Data>c0000005</Data>
    </EventData>
  </Event>
  Log Name:      Application
  Source:        Application Error
  Date:          04.03.2014 12:37:58
  Event ID:      1000
  Task Category: (100)
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      NODE2.domain.example
  Description:
  Faulting application name: lsass.exe, version: 6.3.9600.16384, time stamp: 0x5215e25f
  Faulting module name: ntdsai.dll, version: 6.3.9600.16421, time stamp: 0x524fcaed
  Exception code: 0xc0000005
  Fault offset: 0x000000000019e45d
  Faulting process id: 0x23c
  Faulting application start time: 0x01cf3773fe973e1b
  Faulting application path: C:\Windows\system32\lsass.exe
  Faulting module path: C:\Windows\system32\ntdsai.dll
  Report Id: 85cfbe32-a367-11e3-80cc-00155d006724
  Faulting package full name:
  Faulting package-relative application ID:
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Application Error" />
      <EventID Qualifiers="0">1000</EventID>
      <Level>2</Level>
      <Task>100</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-03-04T06:37:58.000000000Z" />
      <EventRecordID>189576</EventRecordID>
      <Channel>Application</Channel>
      <Computer>NODE2.domain.example</Computer>
      <Security />
    </System>
    <EventData>
      <Data>lsass.exe</Data>
      <Data>6.3.9600.16384</Data>
      <Data>5215e25f</Data>
      <Data>ntdsai.dll</Data>
      <Data>6.3.9600.16421</Data>
      <Data>524fcaed</Data>
      <Data>c0000005</Data>
      <Data>000000000019e45d</Data>
      <Data>23c</Data>
      <Data>01cf3773fe973e1b</Data>
      <Data>C:\Windows\system32\lsass.exe</Data>
      <Data>C:\Windows\system32\ntdsai.dll</Data>
      <Data>85cfbe32-a367-11e3-80cc-00155d006724</Data>
      <Data>
      </Data>
      <Data>
      </Data>
    </EventData>
  </Event>
  In node2 we installed all available updates and hotfixes.

   Hi Azamat Hackimov,
  Regarding to error messages, it seems that the
  ntdsai.dll file caused the issue. Based on current situation, please use
  sfc /scannow command to scan protected system files and check if find error and repair. Meanwhile, you can also navigate to the location of this DLL file and confirm details.
  In addition, Windows Server 2012 R2 has reboot unexpectedly. Please check if you get some dump file and then analysis it. It may help us to find the root reason. Please refer
  to the following KB.
  How to read the small dump memory dump file that is created by Windows if a crash occurs.
  http://support.microsoft.com/kb/315263/en-us
  By the way, it is not effective for us to debug the crash dump file here in the forum. If this issues is a state of emergency for you. Please contact Microsoft Customer Service
  and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
  To obtain the phone numbers for specific technology request, please refer to the web site listed below:
  http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
  Hope this helps.
  Best regards,
  Justin Gu

• AFP only works for Active Directory "Domain Admins"

  I have purchased a new XServe to add to our Active Directory domain as a member server. It all seems to work right except that only users in AD who are members of the "Domain Admins" group seem to function properly under AFP.
  The Mac Clients can connect to our Windows boxes just fine and AD login's seem to work for loggin in any clients. I've created a shared volume on the XServe and when I try to access it via AFP with any user account that doesn't have Administrator rights I get "Invalid Login or Password" on the Mac Client.
  Anyone got any ideas, this is driving me crazy.

  Post to the appropriate server forum or AD forum where people dealing with these products hang out.

• Help with setting up active directory domain controller/DNS - need this for Clustering

  Disclaimer: I am new to Active Directory, so please dont rule out the obvious things I may have overlooked.
  I need to set up Active Directory Domain controller on at least one server so I can run clustering. I set up the domain controller and ran Cluster validation and that failed - unable to reach writable domain controller.
  When I look at my server manager AD DS complain about DNS:
  NASE-2012-234    4015    Error    Microsoft-Windows-DNS-Server-Service    DNS Server    1/14/2014 12:54:06 AM
  The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
  When I click on DNS this is the error:
  The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
  Output of DCDiag -v is below.
  PS C:\Users\Administrator> dcdiag -v
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     * Verifying that the local machine NASE-2012-234, is a Directory Server.
     Home Server = NASE-2012-234
     * Connecting to directory service on server NASE-2012-234.
     * Identified AD Forest.
     Collecting AD specific global data
     * Collecting site info.
     Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=lab,DC=nase,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=
  ntDSSiteSettings),.......
     The previous call succeeded
     Iterating through the sites
     Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lab,DC=nas
  e,DC=com
     Getting ISTG and options for the site
     * Identifying all servers.
     Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=lab,DC=nase,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntD
  SDsa),.......
     The previous call succeeded....
     The previous call succeeded
     Iterating through the list of servers
     Getting information for the server CN=NTDS Settings,CN=NASE-2012-234,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
  N=Configuration,DC=lab,DC=nase,DC=com
     objectGuid obtained
     InvocationID obtained
     dnsHostname obtained
     site info obtained
     All the info for the server collected
     * Identifying all NC cross-refs.
     * Found 1 DC(s). Testing 1 of them.
     Done gathering initial info.
  Doing initial required tests
     Testing server: Default-First-Site-Name\NASE-2012-234
        Starting test: Connectivity
           * Active Directory LDAP Services Check
           The host c0c507c4-fb9b-49a6-9a01-ef79d7960c94._msdcs.lab.nasecom could not be resolved to an IP address.
           Check the DNS server, DHCP, server name, etc.
           Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
           ......................... NASE-2012-234 failed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\NASE-2012-234
        Skipping all tests, because server NASE-2012-234 is not responding to directory service requests.
        Test omitted by user request: Advertising
        Test omitted by user request: CheckSecurityError
        Test omitted by user request: CutoffServers
        Test omitted by user request: FrsEvent
        Test omitted by user request: DFSREvent
        Test omitted by user request: SysVolCheck
        Test omitted by user request: KccEvent
        Test omitted by user request: KnowsOfRoleHolders
        Test omitted by user request: MachineAccount
        Test omitted by user request: NCSecDesc
        Test omitted by user request: NetLogons
        Test omitted by user request: ObjectsReplicated
        Test omitted by user request: OutboundSecureChannels
        Test omitted by user request: Replications
        Test omitted by user request: RidManager
        Test omitted by user request: Services
        Test omitted by user request: SystemLog
        Test omitted by user request: Topology
        Test omitted by user request: VerifyEnterpriseReferences
        Test omitted by user request: VerifyReferences
        Test omitted by user request: VerifyReplicas
        Test omitted by user request: DNS
        Test omitted by user request: DNS
     Running partition tests on : ForestDnsZones
        Starting test: CheckSDRefDom
           ......................... ForestDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... ForestDnsZones passed test CrossRefValidation
     Running partition tests on : DomainDnsZones
        Starting test: CheckSDRefDom
           ......................... DomainDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... DomainDnsZones passed test CrossRefValidation
     Running partition tests on : Schema
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Schema passed test CrossRefValidation
     Running partition tests on : Configuration
        Starting test: CheckSDRefDom
           ......................... Configuration passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Configuration passed test CrossRefValidation
     Running partition tests on : lab
        Starting test: CheckSDRefDom
           ......................... lab passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... lab passed test CrossRefValidation
     Running enterprise tests on : lab.nasecom
        Test omitted by user request: DNS
        Test omitted by user request: DNS
        Starting test: LocatorCheck
           GC Name: \\NASE-2012-234.lab.nasecom
           Locator Flags: 0xe000f3fd
           PDC Name: \\NASE-2012-234.lab.nasecom
           Locator Flags: 0xe000f3fd
           Time Server Name: \\NASE-2012-234.lab.nasecom
           Locator Flags: 0xe000f3fd
           Preferred Time Server Name: \\NASE-2012-234.lab.nasecom
           Locator Flags: 0xe000f3fd
           KDC Name: \\NASE-2012-234.lab.nasecom
           Locator Flags: 0xe000f3fd
           ......................... lab.nase.com passed test LocatorCheck
        Starting test: Intersite
           Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments
           provided.
           ......................... lab.nasecom passed test Intersite
  PS C:\Users\Administrator>

  http://social.technet.microsoft.com/Forums/en-US/home?forum=winserverDS is the forum for Directory Services questions.  You might want to post your question there.
  .:|:.:|:. tim

• Migrating to new Active Directory Domain

  Hey people,
  I have a OSX Server here at a school which I need to move from an old Active Directory domain to a new one. We are having a restructure of our IT System and 90% of our equipment is PC but have a few macs on site for the specific tasks that we need them to do.
  The OSX server was set-up 2yrs ago by some consultant which charged an arm and leg, so its up to me this time round to configure it. It is not a vital part of the IT system so a rebuild is possible, but the quicker it can moved across the better.
  So my question is. Is it easier to "modify" the settings on the OSX Server to the new domain? i.e. change field names in Server Admin. or rebuild the server from scratch?
  Our configuration is Apple clients authenticate to AD, but grab all their settings and OSX group membership from the OSX server. I have here a guide called "Leveraging Active Directory on OSX" would this be useful if I need to rebuild the server? I am fairly confident that I wont run into too many problems, but things like kerberos settings, etc may confuse me. Any help would be excellent!

  Hi,
  perform homogeneous system copy if you migrate from one server to other.
  find document at service.sap.com/systemcopy
  if you just add you local system to domain then look following
  Domain name change for an existing SAP System
  regards,
  kaushal

• Active Directory Domain Service Unavailable

  I've just bought this printer and gone through the installation.. all seemed well.
  Network set up also went well and wireless network test results show 'No Problems Found'.
  When I click on print icon in Word, Excel etc etc I get the usual print dialogue box.  If I just click on PRINT all seems fine, BUT clicking on Properties gets - 'The Active Directory Domain Service is Currently Unavailable'.  Click on PROPERTIES and the program 'locks'.  If I try to close it I'm told there is a dialogue box open (which there isn't).  I have to force a shut down via task manager.
  I've tried closing Firewall - no effect.
  I've tried USB connection - same problem.
  I've run Windows troubleshooter - nothing detected.
  Any help please?
  N

  Hello Nath1310,
  Welcome to the HP Forums.
  I see that you having some issues with the computer freezing up after attempting to access the printing menu.
  Try running the HP Print and Scan Doctor to see if any software or driver issues are causing the freezing.  Let me know if you see any error codes or messages.
  Write me back when you have time.
  Cheers,  
  Click the “Kudos Thumbs Up" at the bottom of this post to say “Thanks” for helping!
  Please click “Accept as Solution ” if you feel my post solved your issue, it will help others find the solution.
  W a t e r b o y 71
  I work on behalf of HP

• Laptop (Running Windows 8.1) no longer able to print and now see message Active Directory Domain Services is not available

  Have a very recent Lenovo Ideapad Laptop running Windows 8.1. Connected via USB port to HP LaserJet Pro CM1415 frw Color MFP Printer. Was able to print fine nearly 2 weeks ago, but something recently happened - either a new windows or office 2013 update
  or perhaps I blew away a certain file by mistake. I can see the printer installed but cannot print to it from anything (Word, Notepad, IE, Firefox etc.). The one thing to note is that usually when I plug or unplug a USB related device, Windows 8.1 recognizes
  this and makes a certain chime noise, but with the printer USB cable it never makes that noise - making me think that it never fully recognizes the printer. Also when I select the printer (from within the control panel) and right click for properties (via
  admin rights) It never lets me fully connect to it.
  I have tried all the usual remedies - remove, install all drivers, reinstall printer, Windows update, start/stop print spooler and all other printer related services,  etc. Its really annoying because this printer was working fine nearly 2
  weeks ago. Looking for any advice now. Thanks.
  -Chris

  Hi Chris,
  à
  I have tried all the usual remedies - remove, install all drivers, reinstall printer, Windows update, start/stop print spooler and all other printer related services, etc.
  I noticed that you had reinstalled the printer. Just a confirmation, when un-install this printer, please check
  if this printer still exist in registry. For more details, please refer to following KB.
  Registry entries for printing
  If printer entry still exist in registry, please delete that printer entry and re-install this printer again,
  then check if this issue still exists. (Please backup registry entries before operating registry. It will help us to avoid unexpected issue.)
  àand now see
  message Active Directory Domain Services is not available
  By the way, would you please let me know where/when get this
  Active Directory Domain Services is not available error message? Or provide a screenshot of it?
  (Please hide all protected or private information) Please check if all services are running correctly on the computer. Meanwhile, please refer to following article and check if can help you.
  Printer
  Problem: Active Directory Domain Services is currently unavailable – Why does windows say no printers are installed?
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft
  does not guarantee the accuracy of this information.
  If any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu

• Windows 2012 R2 Active Directory Domain Services and Remote Desktop services Role on the same server.

  Findings: 
  Currently, Windows 2012 R2   AD DS role and RDS With Broker services can only seem to coexist properly in a new domain not an existing domain. Any attempt to add to an existing domain causes internal database user access denied issues and any attempt to
  adjust rights and circumvent is dubious at best.
  The escalation technician said it best. Out of 50 clients that want to do this, they end up not being able to help 5 right off the bat for whatever reason. As for the other 40 they might be able to help by running reports, adjusting rights and trying to add
  the roles until it works.  This can end up being a 20 day process. Basically they are playing whack-a-mole with user rights and permissions until something sticks.
  We tried creating an OU where any other domain policies would not be inherited to see if that was the issue, a fresh install with different sequence of adding the Roles, no effect.
  Given the errors I witnessed when running procmon and then trying to add the roles, the NT System and the Windows Internal database user had access denied issues on 100+ registry keys when trying to add the roles. After that the system is not behaving normally.
  The errors displayed almost mirror the errors that would occur on Windows 2012 when those two roles would be added which of course is officially NOT supported on that system.
  This blog needs serious revision:
  http://blogs.msdn.com/b/rds/archive/2013/07/09/what-s-new-in-remote-desktop-services-for-windows-server-2012-r2.aspx
  This is the excerpt from that blog: Single server RDS deployment including Active Directory. We now support running our RD Connection Broker role service on the same physical instance as an Active Directory Domain Controller.  In addition, we published
  guidelines for how RD Session Host could be used without the RD Connection Broker.
  Microsoft Support was curteous and helpful and they were the ones who advised cutting our losses, which mirrored my hunch after seeing what was transpiring in the system.  They refunded my money for the support call. 
  For me, it was an opportunity to find out if there was any way to configure Windows 2012 R2 in the Same manner that it was setup as Windows 2008 R2 and lay that to rest. The coexistence is poorly implemented. It is as if there was a reaction from all the deprecation
  of bread and butter features such as shadowing in TS and the coexistence of AD DS and RDS to where those features were re-added haphazardly. (I have no complaints on shadowing on Windows 2012 R2 it works, just do not like having to go to server manager to
  use it).
  I opted for virtualizing the Domain controller to eliminate the incompatibility issues and that is what I will be doing from now on. I found free solutions for backing up and reporting for virtual machines as well as the suggested procedures for configruing
  a Domain controller as a virtual machine on a Hyper-V environment and I will be sticking to those. Thus far the setup has been operational.
  I am not allergic to virtualization, but for really small setups it adds additional time and considerations but if that is how it has to be done, so be it. Windows 2008 R2 days are numbered and since we can usually squeeze 5-7 years on quality server equipment,
  buying a Windows 2008 R2 setup now is a borderline disservice in my opinion.
  Hopefully someone finds this useful and saves some time.

  Hi,
  Thank you for posting in Windows Server Forum.
  Do you need any other assistance?
  Based on your description, you are describing your story of successfully implementing RDS server with AD role and more regarding all RDS related scenario. For shadowing feature, you can use with command also. Below is the syntax to shadow a session.
  mstsc /v:<ServerName> /shadow:<SessionID>
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• Lion Server 10.7.4 VPN service not using my Active Directory domain for authentication

  I have Lion Server 10.7.4 setup on a Mac Mini and I have enabled the VPN service for both L2TP and PPTP. The Mac Mini is joined to my Windows Domain at a functional level of Server 2008 R2. I have set the authentication paths to point to my domain in Directory Utility.
  What I would like to have happen is for my laptop to be able to VPN into my office network remotely using domain credentials and not local account credentials on the Mac Mini itself. This is a process I have done numerous times on Windows boxes, but for some reason the only way I can get the VPN to work on this instance of Lion Server 10.7.4 is by authenticating using local accounts only.
  Does Lion Server 10.7.4 only authenticate VPN users based on it's local account schema? Or can it truly authenticate against an active directory domain?
  Any suggestions or help is greatly appreciated. Thanks,

  Hi g-pirtle,
  Yes, I had already done that a few days ago. I was able to add the desired AD group to the allowed users/groups for the VPN service. Thats exactly what is so weird about this...it allows me to search for and add an AD user or group to the list of allowed users/groups, but then when I actually try to use a domain account to authenticate to the VPN is just gives me the "cannot authenticate" error. Very strange.
  I wondered if for some reason Apple is only allowing local accounts to be authenticated against. Sounds crazy, but I cannot for the life of me get this to work. I also wondered if Kerberizing the server would help, but when I go to join a Kerberos realm in Open Directory inside of Server Admin, it just has no realm listed in the drop down menu.
  Other than that, all other aspects of the Mac Mini being joined to the AD domain seems to be good. I'm really stumped here...
  Thanks again,

• Install Active Directory Domain Controller on Windows server 2008 enterprise, dont login on Sql Server 2008 R2

  I install Active Directory Domain Controller on Windows server 2008 enterprise and dont login on Sql Server 2008 R2. Before install ADDC, I have logon SQL Server 2008r2 Success, After when i install ADDC is don't logon on SQL Server 2008r2 -->not success.
  I have uninstalled ADDC but i still can't login on SQL server 2008r2.
  please help me. it  is very very disaster!
  I think is loss account SQL server 2008r2!

  Hello,
  I stronly recommend you post the detail error message to us while you try to connect to SQL Server instance, it's useful for us to do further investigation.
  Microsoft recommends that you do not install SQL Server 2008 R2 on a domain controller, there are some limitations:
  You cannot run SQL Server services on a domain controller under a local service account or a network service account.
  After SQL Server is installed on a computer, you cannot change the computer from a domain member to a domain controller. You must uninstall SQL Server before you change the host computer to a domain controller.
  After SQL Server is installed on a computer, you cannot change the computer from a domain controller to a domain member. You must uninstall SQL Server before you change the host computer to a domain member.
  SQL Server failover cluster instances are not supported where cluster nodes are domain controllers.
  SQL Server Setup cannot create security groups or provision SQL Server service accounts on a read-only domain controller. In this scenario, Setup will fail.
  On Windows Server 2003, SQL Server services can run under a domain account or a local system account.
  So, I would suggest you try to open up Windows Services list and changed the account for SQL Server service.
  Regards,
  Elvis Long
  TechNet Community Support

• Active Directory Domain Name Convention

  Hi All
  I'm creating a brand new domain for a new company I have just started at. We currently use Office 365 so sharepoint and Exchange are both in the cloud and our website is also outsourced.
  I am now rolling out our first DC on Windows 2012 Server and I'm find conflicting reports on what naming convention I should use for AD with use with hosted exchange.
  Most seem to point at using a subdomain of our main site, like corp.mydomain.com whereas I come from a background using Server 2003 where its always been mydomain.local
  Can anyone advise me on this one and are there any additional thoughts around implementing with an existing Office 365 setup?

  It seems that mydomain.local is recommended less often (if not discouraged) because certificates from a third-party CA will no longer accept internal domain names, like mydomain.local, in the near future.
  Some links on this subject:
  http://social.technet.microsoft.com/Forums/exchange/en-US/a460ee18-e674-4c14-b4e8-33afd9ddb2a0/change-local-to-com-to-resolve-ssl-certificate-mismatch?forum=exchange2010
  http://www.digicert.com/internal-names.htm
  http://exchangeserverpro.com/ssl-requirements-for-exchange-when-certificate-authorities-wont-issue-certificate/
  In any case Office 365 will not interact with internal names. If you use such a name currently, you'd have to configure a UPN suffix allowing users to connect with the external name. This link might
  explain it better:
  http://www.messageops.com/documentation/office-365-documentation/active-directory-federation-services-design-planning-for-office-365
  In particular:
  "It is common for organizations to use one domain name internally and a different domain name externally. A best practice was to have your internal Active Directory domain name have a .local or a .corp suffix.  With Office 365, the UPN suffix must match
  your external domain name which you have registered and verified within Office 365.  In these types of situations it is necessary to add a UPN (User Principle Name) suffix to the Active Directory."
  Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• Active Directory domain migration with Exchange 2010, System Center 2012 R2 and File Servers

  Greeting dear colleagues!
  I got a task to migrate existing Active Directory domain to a new froest and a brand new domain.
  I have a single domain with Forest/Domain level 2003 and two DC (2008 R2 and 2012 R2). My domain contains Exchange 2010 Organization, some System Center components (SCCM, SCOM, SCSM) and File Servers with mapped "My Documents" user folders. Domain
  has about 1500 users/computers.
  How do u think, is it realy possible to migrate such a domain to a new one with minimum downtime and user interruption? Maybe someone has already done something like that before? Please, write that here, i promise that i won't ask for instruction from you,
  maybe only some small questions :)
  Now I'm studying ADMT manual for sure.
  Thanks in advance, 
  Dmitriy Titov
  С уважением, Дмитрий Титов

  Hi Dmitriy,
  I got a task to migrate existing Active Directory domain to a new froest and a brand new domain.
  How do u think, is it realy possible to migrate such a domain to a new one with minimum downtime and user interruption?
  As far as I know, during inter-forest migration, user and group objects are cloned rather than migrated, which means they can still access resources in the source forest, they can even access resources after the migration is completed. You can ask users
  to switch domain as soon as the new domain is ready.
  Therefore, there shouldn’t be a huge downtime/interruption.
  More information for you:
  ADMT Guide: Migrating and Restructuring Active Directory Domains
  https://technet.microsoft.com/en-us/library/cc974332(v=ws.10).aspx
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]