Which Server Version for Domain Controller do I Need

Similar Messages

• Adding a Server 2008 R2 Domain Controller at a remote site

  Hello. I have been trying to set up a hot site at a remote location.  The story is long and involved but a few weeks ago it seemed to be finally working.  Our setup is two mirrored 2008 R2 servers at main site, mirrored with Double Take. 
  The hot site is the same except that so far I only had one server working.  The two sites connected via site to site VPN.
  About a week later our primary server basically crashed.  At first it worked but very slowly.  I was on vacation at the time and so I am not sure of the sequence of events, or exactly what errors were presented, but my associate first tried rebooting. 
  It took over 20 minutes to boot and then it said something to the effect that no domain controllers were available (not sure about this message).  He then discovered that the server at the remote site had some fsmo roles assigned to it.  He transferred
  the roles to the primary at the main site and then demoted the remote server to a workstation (but still a domain member).
  After that, rebooting the primary was much faster and everything at the primary site is working again. Now I want to set the remote site up again, but avoid the problem.  The way I originally set up the remote server was to use an IFM file, generated
  from our primary.  This should have made the remote server a catalog server, with DNS (which it did), but as far as I know should not have transferred any fsmo roles.
  The remote server(s) are wanted to be in the same domain as the primary.  They will also be mirrored from the primary (with Double Take).  If we had total failure at the main site, we wish to be able to immediately begin operations at the hot site
  (after a fail over).  I freely admit that I am swimming out of my depth here.  I am not sure that I have selected the correct architecture or used the correct options in setting up the remote servers.  I am looking for information about what
  went wrong, and whether some other setup is more desirable.
  Thanks for any help, Russ
  Russ

  Philippe, thank you for you answers.  I do not understand everything you said but I will address each point as best I can:
  1. "In the remote site do you simply do a dcpromo / add the ADDS's role to make the server a active Domain Controller ?"  Yes, but I use the method described at
  http://technet.microsoft.com/en-us/library/cc753720(v=ws.10).aspx, The GUI method.  At step #8 I specified to use advanced mode so I could use the IFM file.
  2. "In your AD' Site and Service MMC, do you configured the remote site ?"  R do not know what you mean by this. How does one configure the site as 'remote'?
  3. "Do you added that remote server as a Global catalogue ?".  Yes, when I built the IFM file I specified to add the global catalog.
  4. "Do you added the PC in site 1, the IP of those DNS server in them ? (last of course) So the computer in the main site will talk to the remote server in case of a crash."  I am not sure I understand this item.  After the remote server
  was added, all of the members of both domain servers automatically appeared in the DNS of all servers in the domain.  I do not recall if the new items were last, but I expect that they would be.
  I have since reviewed the happenings with my associate and have a little more information.  The order of the problems and the actions taken are:
  1. Our primary (production) system was still working but extremely slow, and he observed that the slowness was caused by a lot of traffic with the remote site.  Rebooting the production server took over 25 minutes and the server to came up saying
  that domain information was not available.  After another 30 minutes or so he discovered that the domain data was now available and the server worked, but still slow.
  2. He did not check to verify that roles were held by the remote server, but he transferred all roles from the remote to the production server using ntdsutil.  I would expect that if the role was not held by the remote, the transfer command would have
  shown that fact.
  3. He then tried to demote the remote server but had an error that it could not be demoted because "the active directory service is missing mandatory configuration information".
  4. He forcefully demoted the remote server.
  5. After rebooting the production server again performance was slightly better but still slow (and the rebood was still very slow).
  6. After some research he removed the remote domain controller's meta data from the production server and then rebooted the production server again.
  At that point reboot was fast (under 5 minutes) and the production system was working at normal speed again.
  All of the above leads me to believe that somehow the FSMO roles got added to, or moved to the remote site when I used the IFM file to create the new domain controller.  However nothing I have read says that this should happen.  I hope someone
  here can give me a better answer as to what caused the problem, as I do not wish to interrupt our production system like this again.
  Thank you, Russ
  PS: Sorry for the delay in getting back to this but some other priorities took me away from it for a week.
  Russ

• Windows 2012 Verification of prerequisites for Domain Controller promotion failed

  Windows 2012 Verification of prerequisites for Domain Controller promotion failed and gave the below error(In computer management local group and user option is not there as suggested by a solution!)
  "Verification of prerequisites for Domain Controller promotion failed. The local Administrator account becomes the domain Administrator account when you create a new domain. The new domain cannot be created because the local Administrator account password
  does not meet requirements.
  Currently, the local Administrator password is blank, which might lead to security issues. We recommend that you press Ctrl+Alt+Delete, use the net user command-line tool, or use Local Users and Groups to set a strong password for the local Administrator
  account before you create the new domain."

  OK, the reason you see this error is because when you set up and configured your Windows R2 environment you may have logged into the OS with an account other than Administrator. So, if you created your log in account named Bob, this is throwing off the Server.
  So, hit Ctrl-Alt-Delete, and look who you are logged in as, and then change the account you are logging in as and use the local Administrator account. What you may find is that the default Admin account password has not been set.
  Check that out and see if that is what you are experiencing.
  Best wishes

• Windows Server 2008 R2 Domain Controller NOT logging EventID 4740

  EventID 4740 (account lockout) is not being logged to the event viewer. When searching through the security log there are none to be found. Having accounts locked out and no logging is driving me nuts. Hope someone has run into this before. This is what
  i have checked thus far.
  >Windows Server 2008 R2 Domain Controller
  >Verified the following GPO settings are set and correct:
  >Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\ all are set for Success & Failure
  >Computer Configuration\Windows Settings\Security Settings\Advanced Audit Configuration\Logon/Logoff) is set for Success and Failure
  >Powershell command Get-Eventlog -log Security -InstanceId 4740 returns no results which makes sense since there are no entries in the security log file.
  >No 4740 entries in the netlogon.log debug file
  AD and the LockoutStatus tool show the account is locked out but i still have nothing in the logs.
  Anyone have any ideas? From everything i can find online , it appears i have everything set properly.
  Thanks, Chico

  Hi Chico,
  I suggest you try to enable this group policy below:
  Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management
  More information for you:
  Missing 4740 EventID's
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/c9871d72-7439-46b5-98e6-a7fadfa6ff28/missing-4740-eventids?forum=winserversecurity
  If you have multiple Domain Controllers, check this event on other DCs, too.
  Please feel free to let us know if there are any further requirements.
  Best Regards,
  Amy Wang

• Exchange Server 2013 and Domain Controller

  Hello,
  I am planning to install domain controller and exchange server 2013 in same server hardware. Is that not recommended? If not, why is it no recommended?
  Thank you in advance,

  thanks for such a quick response.
  Just a small question about the link that you put. Does member server mean other server other than domain controller?
  Regards,
  Yes, Also the server on which you are installing Exchange should have exchange installed.
  Cheers,
  Gulab Prasad
  Technology Consultant
  Blog:
  http://www.exchangeranger.com    Twitter:
    LinkedIn:
     Check out CodeTwo’s tools for Exchange admins
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• Unable to edit Default Domain policy on Server 2012 R2 domain controller

  Hello,
  I recently built a Server 2012 R2 domain controller and added it to my domain.  When trying to edit the default domain policy I get the following error:
  I can make edits to other GPO objects.  All the other domain controllers are Server 2008 and are able to edit that GPO.  The issue is on the Server 2012 box only.  I've checked the delegated permissions, I'm a domain admin, and have opened
  GPMC as administrator.  Does anyone know what I'm missing?  Thank you for your time.
  Tino

  Hi Tino,
  >>Could that be the problem?
  I don't think so, for we can still use FRS to replicate Sysvol. However, it is recommended that we use DFSR to replicate Sysvol if our domain
  function level is Windows Server 2008 or above.
  Besides, we can follow the suggestions from the following thread to check out which replication mechanism we are using.
  DFS-R on 2008 R2 by default?
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/8f2042d3-193d-4414-b9da-cbcedc6a4c32/dfsr-on-2008-r2-by-default?forum=winserverDS
  If the Sysvol is replicated by FRS mechanism, as I suggested in the last reply, we can do a non-authoritative restore for the Sysvol on the new Windows
  Server 2012. This will restore the Sysvol from a healthy DC.
  To perform a nonauthoritative restore, stop the FRS service, configure the BurFlags registry key, and then restart the FRS service. To do so:
  1. Click Start, and then click Run.
  2. In the Open box, type cmd and then press ENTER.
  3. In the Command box, type net stop ntfrs.
  4. Click Start, and then click Run.
  5. In the Open box, type regedit and then press ENTER.
  6. Locate the following subkey in the registry:
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
  7. In the right pane, double-click BurFlags.
  8. In the Edit DWORD Value dialog box, type D2 and then click OK.
  9. Quit Registry Editor, and then switch to the Command box.
  10. In the Command box, type net start ntfrs.
  11. Quit the Command box.
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Hope it helps.
  Best regards,
  Frank Shen

• Exchange 2007 RTM support with Windows Server 2012 R2 Domain Controller

  Hi All,
  I have not found any TechNet Article which states about the Windows Server 2012 R2 Active Directory domain controller operating system support with Exchange 2007 RTM, can some one please let me know that does Exchange 2007 RTM supports Windows Server 2012
  R2 domain controller operating system, we are in the process of upgrading the domain controllers to 2012 R2 but not the forest and domain functional level to 2012 R2.
  thanks
  If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

  There are several likely reasons for this.  The most significant is that Exchange 2007 RTM is no longer supported (outside ot extended support, which is not going to include adding support for new operating systems): 
  http://support2.microsoft.com/lifecycle/default.aspx?LN=en-us&p1=10926
  You'll note from the following -
  http://technet.microsoft.com/library/ff728623(v=exchg.150).aspx - that only Exchange 2007 SP3 is currently supported in any environment.
  HTH ...

• Cannot generate Account Logon Events (Event ID 4624) in Security Event Log on Server 2008 R2 Domain Controller

  I have configured the Default Domain Controller's policy to log SUCCESS for Account Logon Events in the Server 2008 R2 Domain Controller, but these events are not logging in the Security Event log.
  Default Domain Controllers Policy
  Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policies/Audit Account Logon Events = Success.
  What tools can I use to troubleshoot this further? The results of "Auditpol.exe /get /category:*" are below.
  System audit policy
  Category/Subcategory                      Setting
  System
    Security System Extension               No Auditing
    System Integrity                        No Auditing
    IPsec Driver                            No Auditing
    Other System Events                     No Auditing
    Security State Change                   No Auditing
  Logon/Logoff
    Logon                                   No Auditing
    Logoff                                  No Auditing
    Account Lockout                         No Auditing
    IPsec Main Mode                         No Auditing
    IPsec Quick Mode                        No Auditing
    IPsec Extended Mode                     No Auditing
    Special Logon                           No Auditing
    Other Logon/Logoff Events               No Auditing
    Network Policy Server                   No Auditing
  Object Access
    File System                             No Auditing
    Registry                                No Auditing
    Kernel Object                           No Auditing
    SAM                                     No Auditing
    Certification Services                  No Auditing
    Application Generated                   No Auditing
    Handle Manipulation                     No Auditing
    File Share                              No Auditing
    Filtering Platform Packet Drop          No Auditing
    Filtering Platform Connection           No Auditing
    Other Object Access Events              No Auditing
    Detailed File Share                     No Auditing
  Privilege Use
    Sensitive Privilege Use                 No Auditing
    Non Sensitive Privilege Use             No Auditing
    Other Privilege Use Events              No Auditing
  Detailed Tracking
    Process Termination                     No Auditing
    DPAPI Activity                          No Auditing
    RPC Events                              No Auditing
    Process Creation                        No Auditing
  Policy Change
    Audit Policy Change                     No Auditing
    Authentication Policy Change            No Auditing
    Authorization Policy Change             No Auditing
    MPSSVC Rule-Level Policy Change         No Auditing
    Filtering Platform Policy Change        No Auditing
    Other Policy Change Events              No Auditing
  Account Management
    User Account Management                 No Auditing
    Computer Account Management             No Auditing
    Security Group Management               No Auditing
    Distribution Group Management           No Auditing
    Application Group Management            No Auditing
    Other Account Management Events         No Auditing
  DS Access
    Directory Service Changes               No Auditing
    Directory Service Replication           No Auditing
    Detailed Directory Service Replication  No Auditing
    Directory Service Access                No Auditing
  Account Logon
    Kerberos Service Ticket Operations      No Auditing
    Other Account Logon Events              No Auditing
    Kerberos Authentication Service         No Auditing
    Credential Validation                   Success

  Hi Lawrence,
  After configuring the GPO, did we run command gpupdate/force to update the policy immediately on domain controller? Besides, please run command gpresult/h c:\gpreport.html to check if the audit policy
  setting was applied successfully.
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• Certificate for Domain Controller Will not import

  Hi,
  I am having an issue importing a Certificate .crt file on a Windows Server 2008 R2 Domain Controller.  The Certiificate is needed for migrating our 2003 Domain Controllers to 2008r2.   When I try to use the command line to import the certificate
  using the following:
  I receive the following output:
  Cannot find object or property. 0x80092004 (-2146885628)  
  I also tried this command 
  certreq.exe -accept hostname.crt -machine   and received the same error.
  When I try to import the Certificate using the GUI it works but there is no "private key" found.   
  The Certificate was issued from Digicert.    
  Does anyone know how to resolve this so my certificate imports correctly with a private key intact?   
  Thanks,
  Kevin C.

  Here are the steps as explained by Digicert:
  How to Import and Export your SSL Certificate
  https://www.digicert.com/import-export-ssl-certificate.htm
  Note that I've used Digicert and haven't had a problem with the private key. If the private key's missing, there will be missing functionality. And also note, that Digicert's tech support is free and they are actually pretty good and can help almost immediately
  as soon as you call them. They've helped me a number of times.
  Give them a call 24/7: 1.801.701.9600
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Biztalk 2013 R2 with Windows Server 2003 R2 Domain Controller

  Hello, I have a client right who has a Windows Server 2003 R2 domain controller with active directory installed. Is there any reason why I can't install Biztalk 2013 on a Windows Server 2012 R2 box and add it to that farm to use active directory?
  Thanks in advance,
  -Adam

  BizTalk Server is only going to use the User Groups created in Domain Controller so ideally i don't think there will be any compatibility issue. Also there isn't any microsoft article which talks about BizTalk compatibility with respect to domain controller.
  You will have to create all the Windows Groups and User Accounts in AD, before BizTalk Server configuration.
  Windows Groups and User Accounts in BizTalk Server
  Thanks,
  Prashant
  Please mark this post accordingly if it answers your query or is helpful.

• Promote this server to a domain controller still appears

  Hi All, I've change one DC 2003 with a new DC 2012 in my forest (I've 4 DC e 3 sites) following these steps:
  1 - Demote DC 2003
  2 - Remove DNS 2003 Role
  3 - Rename e change IP on Server 2003
  4 - Waiting and verify replica
  5 - Give the same Hostname and IP of Server 2003 to New DC 2012
  5 - Add Role AD Directory Service and when finished I use the notification "promote this server to a domain controller" to promote it to a member domain controller.
  6 - After reboot the notification STILL APPEARS, but it result as a DC and all work fine.
  Any help me?
  Thanks

  Hi Federico,
  Can you please confirm, whether you are seeing the notification as given in the below screenshot,
  This notification implies that “Active Directory Domain Services” role binaries have been installed and now it is time to promote the server to a Domain Controller.
  Checkout the below link on Step-by-Step Guide for Setting Up A Windows Server 2012 Domain Controller,
  http://social.technet.microsoft.com/wiki/contents/articles/12370.step-by-step-guide-for-setting-up-a-windows-server-2012-domain-controller.aspx 
  Regards,
  Gopi
  www.jijitechnologies.com

• 10.5.7 server as primary domain controller

  Setting up a 10.5.7 server -
  Server is setup as a open directory master, I want it also to be a primary domain controller (smb).
  But when I try to change it from Standalone Server to primary domain controller, using my directory admin user id and password, it just reverts back to standalone server. tried it with smb running and not running.
  Any ideas ?

  Having the same issue with Leopard Server 10.5.8.
  SMB was previously set up as a "Domain Member" and now I want to make it a "Primary Domain Controller".
  After reboot, the Role always reverts back to "Domain Member".
  Any ideas?

• Non riesco a ricevere acquisti fatti su itunes, mi da questo errore :erreu : you have an error in your sql syntax; checkthe manual that corresponds to your mysql server version for the right syntax to use near from news order by id desc at line. cosa devo

  non riesco a ricevere acquisti fatti su itunes, mi da questo errore :erreu : you have an error in your sql syntax; checkthe manual that corresponds to your mysql server version for the right syntax to use near from news order by id desc at line. cosa devo fare?  grazie

  Start Firefox in [[Safe Mode]] to check if one of the add-ons is causing the problem (switch to the DEFAULT theme: Tools > Add-ons > Themes).
  * Don't make any changes on the Safe mode start window.
  See:
  * [[Troubleshooting extensions and themes]]

• ACS any Version with Domain Controller on Windows Server 2008 R2 64bit

  Hi All
  Is there currently any ACS version working with Windows Server 2008 R2 domain controllers?
  Our server stuff has recently upgraded the Domain Controllers to 2008r2 and turned off the 2003 servers. This didn't make our ACS 4.1.4 really happy.
  I've read now serveral posts regarding issues with ACS and Server 2008r2 and hope to find a solution (besides switching to LDAP, yukk).
  Thanks
  pato

  Hi AllIs there currently any ACS version working with Windows Server 2008 R2 domain controllers?Our
  server stuff has recently upgraded the Domain Controllers to 2008r2 and
  turned off the 2003 servers. This didn't make our ACS 4.1.4 really
  happy.I've read now serveral posts regarding issues with ACS and
  Server 2008r2 and hope to find a solution (besides switching to LDAP,
  yukk).Thankspato
  Hi Pato,
  Just check out the below link hope that help.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html
  As per the link it says The support for Windows Server 2008 is applicable for ACS 4.2 Patch 4 onwards.
  Hope to Help !!
  Remember to rate the helpful post
  Ganesh.H

• Exchange server-Removing a Domain Controller from the forest

  Hi Guys,
  I need some help on removing a faulty domain controller from the AD forest. Here is the scenario:
  1. The FSMO roles have been seized to a new domain controller already.
  2. The old one is non-functional and is down for ever.
  I know the steps would be doing a meta-data cleanup And then remove some of the DNS entries related to the old server. But the real issue is:
  > I have Exchange 2013 running in one of the machines configured in the Forest, which was migrated from the old Domain controller. I then set Exchange listening to the new domain controller.
  So, my doubt is, if I delete the old domain controller and do a metadata cleanup, would it have any effect on the exchange server? The Exchange machine acts as an additional domain controller as well. Its a production environment and any
  change that affects Exchange would cause a big loss. Looking forward for your valuable suggestions..
  Regards,
  Nash

  Hi Ed,
  I don't have issues with the AD on the Exchange server. Eventhough it is configured as an AD, Exchange is pointed to the main working domain controller, which is a different machine. I just want to remove the traces of an old domain controller from which
  I transferred the FSMO roles to the new domain controller. The old  domain controller is completely down and hence I can't do a conventional 'dcpromo' on it. So just planning to do a 'metadata clean up' for removing the non-working DC from the forest. 
  So, In essence, I just want to know that, if I do a metadata cleanup, would it affect the Exchange server in any way?
  Regards,
  Nash