Win2008R2 SP1 Domain Controller Patching Steps

I've been searching today and found a lot of articles stating that patching a domain controller should be required. Understood and agree with those statements. My question is this.
I have multiple domain controllers in one domain, what are the best practice/proper procedures to applying Windows patches to multiple domain controllers? I am sure it is going to be patch 1 restart then patch another then restart and so on. Not all at the
same time. Just want to make sure I am following proper procedures when doing this.
Any and all help is greatly appreciated.
Len
Leonard Hoffman

Hi Leonard
Correct, it is best to patch DCs (in each site) sequentially to ensure service continuity. It is also a good idea to transfer the FSMO roles from the DC that holds them prior to performing maintenance. Here's a link to a script that can help with the
transfer:
http://www.open-a-socket.com/index.php/2012/06/07/powershell-script-to-move-fsmo-roles/
Tony www.activedir.org Blog: www.open-a-socket.com

Similar Messages

NTP Service on Domain Controller have problem with cisco switch

Hello!
I have Windows Server 2008 R2 SP1 Domain Controller with NTP services
The windows opertion system clients get NTP time ok.
There are problem with cisco switch, can't get time from NTP.
Can anybody help me to fix problem?
C:\Users\Sysuser>w32tm /query /configuration
[Configuration]
EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 1800 (Local)
MaxPosPhaseCorrection: 1800 (Local)
MaxAllowedPhaseOffset: 300 (Local)
FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Policy)
ResolvePeerBackoffMaxTimes: 7 (Policy)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 0 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Policy)
Type: NTP (Policy)
NtpServer: 10.7.0.4 (Policy)
NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
Cisco config and errors
CISCO1#show ntp ass det
10.7.0.7 configured, insane, invalid, stratum 3
ref ID 10.7.0.4, time D5BC850F.C8400AB2 (15:50:39.782 MSK Mon Aug 19 2013)
our mode client, peer mode server, our poll intvl 1024, peer poll intvl 1024
root delay 62.50 msec, root disp 11128.04, reach 377, sync dist 11218.796
delay 6.06 msec, offset -467951.1096 msec, dispersion 56.49
precision 2**6, version 3
org time D5BC8864.F79C33A7 (16:04:52.967 MSK Mon Aug 19 2013)
rcv time D5BC8A38.EBDECB39 (16:12:40.921 MSK Mon Aug 19 2013)
xmt time D5BC8A38.EA5173BE (16:12:40.915 MSK Mon Aug 19 2013)
filtdelay = 6.06 5.87 3.23 7.90 6.41 5.17 13.03 3.43
filtoffset = -467951 -467905 -467936 -467885 -467764 -467816 -467707 -467697
filterror = 0.02 15.64 31.27 46.89 62.52 78.14 93.75 93.78

Hi,
>>I gave log on as a service right to this account in Default Domain Controllers Policy but unfortunately it was not enough
Based on your description, we can try to grant this account Allow log on locally
user right in the default domain controller policy to see if it helps.
The policy setting is:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally
Allow log on locally
http://technet.microsoft.com/en-us/library/cc756809(v=ws.10).aspx#feedback
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen

Turning on a Domain Controller after ntdsutil metadacleanup

Hello,
I was in the middle of doing a lifecycle replacement swapping out 2003 servers for 2008 R2 servers. I promoted my 2 Windows Server 2008 R2 domain controllers. I tried to demote my Windows 2003 SP1 server and kept getting lsass errors and
crashing my domain controller. After the lsass errors I simply turned off the domain controller and did a ntdsutil meta data cleanup on that domain controller. Unfortunately we installed the McAfee managed client on the new domain controllers and
broke the secure link so I had to demote them. After fixing the problem, I tried to promote them again and I keep getting lsass errors and the Windows Server 2003 SP1 domain controller blue screens so I need to bring the other 2003 server back online.
My question is, when I turn on the 2003 domain controller, will it continue as a domain controller even after metadata cleanup? The only reason I ask is because when I did metadata clean up it prompted with a message that if I turn the domain controller
back on it will be revived.

>>>My question is, when I turn on the 2003 domain controller, will it continue as a domain controller
even after metadata cleanup?
No. You are manually removing this DC from AD database.
You can promote this server as DC again if need. Start with a new OS
Santhosh Sivarajan | Houston, TX | www.sivarajan.com
ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
Blogs: Blogs
Twitter: Twitter
LinkedIn: LinkedIn
Facebook: Facebook
Microsoft Virtual Academy:
Microsoft Virtual Academy
This posting is provided AS IS with no warranties, and confers no rights.

Event id 3224 in a domain controller WIndows 2008 x64 sp1

on a domain controller this error appeared, I found it as we can resolve it, beyond reset the machine account to be a domain controller do not think, any idea?

If I am not mistaken, the error is for a broken secure channel on a DC. If yes, please refer to Awinish blog: http://awinish.wordpress.com/2010/12/24/when-secure-channel-is-broken/
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password

Limit Administrator Access to only OS Level functions on a Windows 2003 (and up) Domain Controller Server

I have read several articles such as:1.  <a href="http://social.technet.microsoft.com/Forums/windowsserver/en-US/9c723f4a-51a7-4844-9dc6-0017355d694c/limited-administrative-on-domain-controller?forum=winserverDS">http://social.technet.microsoft.com/Forums/windowsserver/en-US/9c723f4a-51a7-4844-9dc6-0017355d694c/limited-administrative-on-domain-controller?forum=winserverDS</a>2. 
Active_Directory_Delegation.docConsider that a domain controller, doing no other functions than domain based functions (ie no file server, printer or app server) - is managed in two parts:  The OS-only level, to read log files,
server health monitoring, install OS-level Micrsoft security patching and the second part being Domain management level - Users and Computers, Domains and Trusts, etc).For a given domain controller server, an outsourced support group needs
to be responsible for the OS-only level access - they need no access to the Domain management level functions so they can fufill contractual obligations (SLAs) for server uptime, patching etc.  For the same given domain controller
server above, there is an internal (non-outsourced) support group that will perform all Domain management level functions only.  They want to manage the Domain on the Domain Controller servers, want the Outsourcer to manage the VM and OS-related tasks,
but DO NOT want them to be able to access and change information in Users and Computers, Domains and Trusts etc.  With that explaination, would putting the Outsourcer's AD-based account IDs in the Server Operators group alone be
sufficient to allow OS-level management, like patching, reboots, etc but disallow access to Domain Management functionality (Users and Computers etc) - or does it need to be a combination of built in groups and delgated rights?Please consider
that I am seeking a technical solution here - do not respond with "either trust your Domain Administrators or keep your junior admins from the server" as that is not a viable solution.  
Jason B. Allen

Hi Jason,
According to your description, you want to assign the OS-level management and Domain management rights to two groups separately, right?
Based on my research, members of Server Operators group don’t have sufficient rights to install updates for Domain Controllers, you can refer to this article below:
Default groups
http://technet.microsoft.com/en-us/library/cc756898(v=WS.10).aspx
You can configure Allow non-administrators to receive update notifications group policy so that non-administrative users will be able to install all optional, recommended, and important updates content for which
they received a notification, except some updates which contain User Interface, End User License Agreement and so on, which still require domain admin credentials.
To enable non-administrator users the ability of logging onto and shutting down DCs,
Allow logon locally and Shut down the System rights should be granted.
In addition, reading logs and monitoring server performance rights are included on Performance Log Users and Performance Monitor Users groups.
More information for you:
Step 5: Configure Group Policy Settings for Automatic Updates
http://technet.microsoft.com/en-us/library/dn595129.aspx
User Rights Assignment
http://technet.microsoft.com/en-us/library/cc780182(v=WS.10).aspx
I hope this helps.
Amy Wang

JRE 1.7 / Java Plug-in - Long delay in retrieving the applet File(JAR) due to a request to the Domain Controller(on port 53)

Description:
A specific group of users/customers (using Windows7 OS with IE and FireFox web browsers) are facing problems with retrieving the applet File, after they upgraded the JRE on the system(PC) to JRE 1.7.0_25-b17 from JRE version 1.6.0_29-b11.
With JRE 1.7.0_25-b17 it is noticed that when the Java plugin requests for the applet File; it sends a request to the Domain Controller of the user, which causes a delay of 2 to 5 minutes and sometimes hangs. The problem occurs consistently.
The current temporary workaround for this group of users is to use JRE version 1.6.0_29-b11.
Problem analysis:
To investigate the problem the below steps were executed:
1) Collected the Java console outputbelow details from the user's system. (The complete output is not posted due to lengthy content, though can be added further to this post if required.)
(a) Works fine with JRE version 1.6.0_29-b11. Kindly refer to Java console output in the code ‘section A’ towards the end of this post.
(b) The problem occurs with problem with JRE version 1.7.0_25-b17. Kindly refer to Java console output in the code ‘section B’ towards the end of this post. The step where the problem is observed, is indicated as(##<comment>##).
2) The network settings in the user's browser was checked. Internet Options > Connections > LAN setting
The configured option is 'Use automatic configuration script' and the value is http://www.userAppX.com/proxy.pac
This configuration remains the same irrespective of the JRE version in use.
3) The network settings in the Java Control Panel was checked.
The used/selected option is "Use browser settings", although values for 'Use proxy server' and 'use automatic proxy configuration script' are filled-in as 'user-proxy.com' and 'http://www.userAppX.com/proxy.pac' respectively.
This configuration remains the same irrespective of the JRE version in use.
4) The proxy PAC file was checked and debugging was done for the request 'https://myAppletHost.com/download/...'. The FindProxyForUrl function (including the conditions defined in it, for the hostname and domain checks) returns PROXY user-proxy.com:80
5) The user also tried the below
a. Changed the option in the network settings in the browser to 'Proxy server' with Address 'user-proxy.com' and Port '80'
b. Restarted the browser.
c. Tried with Java Plug-in 1.6.0_29, JRE version 1.6.0_29-b11. There was no problem and no request to the Domain Controller of the user.
d. Tried with Java Plug-in 10.40.2.43, JRE version 1.7.0_40-b43. The problem occurs with the delay and a request to the Domain Controller of the user is observed.
Kindly refer to Java console output in the code ‘section C’ towards the end of this post.
6) The user also tried setting the below property in the Java Control panel; restarted the browser, and try with JRE 1.7.0_40-b43. The problem stil persists.
-Djava.net.preferIPv4Stack=true
7) The Global Policy Management of the Domain Controller was verified by the user. It has GPO for proxy setting but nothing related to Java security.
Questions:
The problem seems be specific to a particular (user) environment setup, and the user faces the problem when using JRE 1.7.
We would like to know if the issue is in the (user) environment setup or in JRE 1.7.
Could you please help with information/ideas/suggestions to identify the root cause and solution for this problem?
Section A:
Java Plug-in 1.6.0_29
Using JRE version 1.6.0_29-b11 Java HotSpot(TM) Client VM
User home directory = C:\Users\userA
basic: Plugin2ClassLoader.addURL parent called for https://myAppletHost.com/download/myApplet.jar
network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-b1bb5056c5b0e83f=2; Path=/"
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-b1bb5056c5b0e83f=2; Path=/"
security: Loading Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loaded Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
security: Checking if certificate is in Deployment denied certificate store
network: Connecting https://myAppletHost.com/download/myApplet.jar with cookie "JSESSIONID=0000IK4bEMoqXH10zsl88rwvoRI:175oe9tjd; BCSI-CS-b1bb5056c5b0e83f=2"
network: Downloading resource: https://myAppletHost.com/download/myApplet.jar
 Content-Length: 403.293
 Content-Encoding: null
Dump system properties ...
https.protocols = TLSv1,SSLv3
java.vm.info = mixed mode, sharing
java.vm.name = Java HotSpot(TM) Client VM
java.vm.specification.name = Java Virtual Machine Specification
java.vm.specification.vendor = Sun Microsystems Inc.
java.vm.specification.version = 1.0
java.vm.vendor = Sun Microsystems Inc.
java.vm.version = 20.4-b02
javaplugin.nodotversion = 160_29
javaplugin.version = 1.6.0_29
javaplugin.vm.options =
os.arch = x86
os.name = Windows 7
os.version = 6.1
trustProxy = true
deployment.proxy.auto.config.url = http://www.userAppX.com/proxy.pac
deployment.proxy.bypass.local = false
deployment.proxy.http.host = user-proxy.com
deployment.proxy.http.port = 80
deployment.proxy.override.hosts =
deployment.proxy.same = false
deployment.proxy.type = 3
deployment.security.SSLv2Hello = false
deployment.security.SSLv3 = true
deployment.security.TLSv1 = true
deployment.security.mixcode = ENABLE
Section B:
Java Plug-in 10.25.2.17
Using JRE version 1.7.0_25-b17 Java HotSpot(TM) Client VM
User home directory = C:\Users\userA
basic: Added progress listener: sun.plugin.util.ProgressMonitorAdapter@12adac5
basic: Plugin2ClassLoader.addURL parent called for https://myAppletHost.com/download/myApplet.jar
network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-2d4ce94a2ae7b460=2; Path=/"
network: Connecting http://10.x.x.xx:53/ with proxy=DIRECT
 (##THE ABOVE REQUEST CAUSES THE DELAY OR HANGS##)
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-2d4ce94a2ae7b460=2; Path=/"
security: Loading Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loaded Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Loading certificates from Internet Explorer ROOT certificate store
security: Loaded certificates from Internet Explorer ROOT certificate store
network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-2d4ce94a2ae7b460=2; Path=/"
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-2d4ce94a2ae7b460=2; Path=/"
network: Connecting https://myAppletHost.com/download/myApplet.jar with cookie "JSESSIONID=0000UQuXWY5tjxjpwcKHlfJKe_8:175oe9j45; BCSI-CS-2d4ce94a2ae7b460=2"
network: ResponseCode for https://myAppletHost.com/download/myApplet.jar : 200
network: Encoding for https://myAppletHost.com/download/myApplet.jar : null
network: Server response: (length: -1, lastModified: Thu Feb xx yy:yy:yy CET 2013, downloadVersion: null, mimeType: text/plain)
network: Downloading resource: https://myAppletHost.com/download/myApplet.jar
 Content-Length: -1
 Content-Encoding: null
Section C:
Java Plug-in 10.40.2.43
Using JRE version 1.7.0_40-b43 Java HotSpot(TM) Client VM
User home directory = C:\Users\userA
basic: Plugin2ClassLoader.addURL parent called for https://myAppletHost.com/download/myApplet.jar
network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-1d67c8b6508ca09c=2; Path=/"
network: Connecting http://10.x.x.xx:53/ with proxy=DIRECT
 (##THE ABOVE REQUEST CAUSES THE DELAY OR HANGS##)
network: Checking for update at: https://javadl-esd-secure.oracle.com/update/blacklist
network: Checking for update at: https://javadl-esd-secure.oracle.com/update/blacklisted.certs
network: Checking for update at: https://javadl-esd-secure.oracle.com/update/baseline.version
network: Connecting https://javadl-esd-secure.oracle.com/update/blacklist with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Connecting https://javadl-esd-secure.oracle.com/update/baseline.version with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Connecting https://javadl-esd-secure.oracle.com/update/blacklisted.certs with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
security: Loading Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loaded Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loading SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
security: Loaded SSL Root CA certificates from C:\Program Files (x86)\Java\jre7\lib\security\cacerts
Dump system properties ...
https.protocols = TLSv1,SSLv3
java.vm.info = mixed mode, sharing
java.vm.name = Java HotSpot(TM) Client VM
java.vm.specification.name = Java Virtual Machine Specification
java.vm.specification.vendor = Oracle Corporation
java.vm.specification.version = 1.7
java.vm.vendor = Oracle Corporation
java.vm.version = 24.0-b56
javaplugin.nodotversion = 10402
javaplugin.version = 10.40.2.43
os.arch = x86
os.name = Windows 7
os.version = 6.1
trustProxy = true
active.deployment.proxy.auto.config.url = http://www.userAppX.com/proxy.pac
active.deployment.proxy.bypass.local = false
active.deployment.proxy.http.host = user-proxy.com
active.deployment.proxy.http.port = 80
active.deployment.proxy.same = false
active.deployment.proxy.type = 3
deployment.browser.path = C:\Program Files (x86)\Internet Explorer\iexplore.exe
deployment.proxy.auto.config.url = http://www.userAppX.com/proxy.pac
deployment.proxy.bypass.local = false
deployment.proxy.http.host = user-proxy.com
deployment.proxy.http.port = 80
deployment.proxy.override.hosts =
deployment.proxy.same = false
deployment.proxy.type = 3
deployment.security.SSLv2Hello = false
deployment.security.SSLv3 = true
deployment.security.TLSv1 = true
deployment.security.TLSv1.1 = false
deployment.security.TLSv1.2 = false
deployment.security.authenticator = true
deployment.security.disable = false
deployment.security.level = HIGH
deployment.security.mixcode = ENABLE
PS:
Since the JRE 1.7.0_25-b17 update, it is noticed that when the Java plugin requests for the applet File; it sends a request to the Domain Controller of the user, which causes a delay of 2 to 5 minutes and sometimes hangs.
The problem occurs consistently, and also with JRE 1.7.0_45-b18.
Java Plug-in 10.45.2.18
Using JRE version 1.7.0_45-b18 Java HotSpot(TM) Client VM
User home directory = C:\Users\userA
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
l: dump classloader list
m: print memory usage
o: trigger logging
q: hide console
r: reload policy configuration
s: dump system and deployment properties
t: dump thread list
v: dump thread stack
x: clear classloader cache
0-5: set trace level to <n>
cache: Initialize resource manager: com.sun.deploy.cache.ResourceProviderImpl@134a33d
basic: Added progress listener: sun.plugin.util.ProgressMonitorAdapter@1971f66
basic: Plugin2ClassLoader.addURL parent called for https://myAppletHost.com/download/myApplet.jar
network: Connecting https://myAppletHost.com/download/myApplet.jar with proxy=HTTP @ user-proxy.com/194.xxx.xx.xx:80
network: Server https://myAppletHost.com/download/myApplet.jar requesting to set-cookie with "BCSI-CS-f797d4d262467220=2; Path=/"
network: Connecting http://10.x.x.xx:53/ with proxy=DIRECT
network: Connecting http://10.x.x.xx:53/ with proxy=DIRECT
 (##THE ABOVE REQUEST CAUSES THE DELAY AND SOMETIMES HANGS##)

My organization is experiencing very similar problems. We have resolved it through several steps.
We upgraded the client to Java 8 and we saw in the console that the hanging connection with the Domain Controller no longer occurs. This may be all that is necessary for your environment as well.

Is it possible to restrict a local admin from accessing/viewing AD accounts on a Domain Controller?

I am working on determining if I can have a separate administrator group handle patching and performing maintenance on four servers that are DCs of their own AD domain, but restrict these administrators from the ability to see the active directory user
accounts in that AD domain?

Hello,
Since you are talking about domain controllers I have to say there are no Power Users group in them. Actually the local user management will be disabled as soon as you promote a server to a domain controller. The only option which is left here is to grant
Administrators handle the job. In case of RODC you can go through what Albert suggested.
However since domain controllers are sensitive and plays a key role in your environment I strongly recommend not to allow non administrators to perform maintanance or other related tasks (At least for domain controllers).
Another option you have left for your patch management is to use a member server like WSUS to automatically install updates on your DCs.
Regards.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers?

Domain controller 2008 Server with SP2

Here is a real issue which i cannot track down what is causing it.
It appears that in windows 2008 Server running DHCP, DNS and AD i am getting some weird errors on the clients.
The client machines are all Windows 7 Professional x64.
The Issue is that the Domain controller seems to disappear as the logon server from the client after a few days. On some it indicates that there was no logon server available, but still logs in.. Which should be impossible since i have group policy configured
to block the ability of logon without a logon server.
The issue with this, is that over time, the desktops seem to go rogue, they no longer populate the information as to password expiration, and at times don't allow the clients to access the network shares.
The security log, shows hit and miss as to if it sees them log into the domain.
the weird issue is that if you log out, switch user, and change the users password, then log back into the desktop with domain\username and a new password the issue goes away for about 10 days.. then re-appears and causes all sorts of fun issues on the domain.
I took another step and decided that i would give a shot to building a clone test network, using a cloned image of the Domain controller, and it doesn't seem to happen on that side..The test network just has less PC's but they are all the same hardware..
Here is what i have troubleshot so far:
DNS looks fine.. no errors or issues..
DHCP looks fine, no duplicates etc..
AD has all the information correctly, and the security log looks fine, most of the time..
Windows updates are all up to date
All desktops have logon scripts, but i have removed the cached data from the management console (Cred manager)
Modified Group policy and forced it across the network.. Can see the GPResult from the clients and they have the updated settings, but the clients don't seem to care..
Group policy is set to wait till network comes up and require a domain controller to log into the client desktop.. This sometimes works, sometimes does not, it was done to see if the problem was happening on other machines, there are about 15 total out of
47 currently having the issue.
All the desktops are fresh installs, not ghosted images, not clones, or something you would need to sysprep.
Thoughts?
Rob

Hello,
please post an unedited ipconfig /all from the DC/DNS servers and a client with the problems.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter:

Best Practices for Setting up a Windows 2012 R2 STD Domain Controller in a Remote Site

So I'm looking for an article or writeup similar to the "Adding Domain Controllers in Remote Sites" TechNet article but for Windows Server 2012 STD R2. Here is my scenario:
1. I want to setup the domain controller at Site A where the primary domain controller is located. The primary domain controller is Windows Server 2008 R2.
2. Once the DC is setup I plan on leaving it on our network for a few days before shipping it to remote Site B for installation
Other key items:
1. The remote Site B will have a different IP range than Site A but will be connected to Site A via a single VPN tunnel. All the DCs that replicate with each other are on the same domain.
2. The 2012 DC that I setup for Site B (same domain in same forest) will be a DHCP, DNS, and WSUS server all replicating to the primary DC at Site A
Questions:
1. What items can I setup while it's at Site A without effecting or conflicting with the existing network and domain controller? Can I setup a scope once the DHCP role is added?
2. All of our DCs replicate through Sites and Services, do I have to manually add this to our primary DC for the new DC going to remote Site B? Or when does this happen automatically when I promote the DC?
All and all I'm just looking for a list of Best Practices for 2012 or a Step by Step Guide. Any help would be appreciated.

Hi,
Thanks for your posting.
When you install AD DS in the hub or staging site, disconnect the installed domain controller, and then ship the computer to the remote site, you are disconnecting a viable domain controller from the replication topology.
For more and detail information, please refer to:
Best Practices for Adding Domain Controllers in Remote Sites
http://technet.microsoft.com/en-us/library/cc794962(v=ws.10).aspx
Regards.
Vivian Wang

How to install Exchange Server 2010 with the name of my existing Domain Controller.

I have my Primary domain Controller as abc.com in 2008 r2 standard. abc.com is registered. I want to set up Fresh Exchange Server 2010 sp2 with the name of the same
abc.com domain name. Please guide me the steps how to do that. Waiting for your kind response. :)

Hi,
From you description, you want to install an Exchange server 2010 in the abc.com. When you set up your Exchange, Exchange need to join in a domain. You just need to specify the domain to abc.com.
What's more, here is a helpful blog about Exchange 2010 installation for your reference.
HOWTO Install Exchange 2010 - Step by Step
http://blogs.technet.com/b/ferris/archive/2010/03/05/howto-install-exchange-2010-step-by-step.aspx
Hope it helps.
Best regards,
Amy
Amy Wang
TechNet Community Support

How to test domain controller on upgraded Win Server 2008 R2

The windows team recently upgraded the development environment for the domain controller from 2003 to Windows 2008 R2 and I am to test the Idm functionality on this upgraded version. Our current configuration is that the DC and Idm gateway runs on different machines. To test this new DC, i want to install the idm gateway on that server and run some onboarding and termination test cases just to make sure if the AD connection is working on the upgraded DC. But i am getting ’Input/output error’ when i try to install the service and from the documentation it says 'The most common cause of this is that you do not have rights to work with this service.'. The server admin tried installing the gateway with his id as well and it failed. He tested installing in on the 2003 version of DC and it worked, so its not a matter of permission (i think..)...
Does anyone have any better idea on how to test an upgrade of a DC from version 2003 to 2008 R2? Any help in this matter is appreciated. We are running Idm 8.1 on a Windows platform and an upgrade to OW 8.1.1. Patch 2 is also in the works..
Thanks in advance.

I may have found a workaround. Can you try to change the "compatibility mode" in 2008 R2 to "Windows XP SP3" and see if it will install?
Admittedly I have not done this myself so I'm not entirely sure where or how it's done, but I have confirmation it resolves the issue from others who have faced it.

Central Domain Controller in Solution manager

Hi All,
We have configured ChaRM successfully for ECC and BI system landscapes, by creating domain links between Solution Manager domain controller and individual domain controllers for ECC and BI systems. Now, we are planning to go for a central domain controller (Solman Domain Controller) for all the satellite systems. So basically, we plan to move the individual domain controllers from ECC and BI to solman domain controller and i guess there will not be domain links required anymore.
With regards to above scenario, please help me with below queries:
1 - Will the above strategy work with chaRM or not
2 - If yes, what are the activities that would be required to be redone in satellite system and solman system
3- Any critical pre-requisites that needs to be checked before we can start this exercise
Please help me with the above queries. Appreciate your time and effort.
Thanks in advance.
Regards,
Imran

HI,
Yes, you could use solman to be set as the main domain controller; either way with domain links, please kindly have a look
at this expert blog by our Charm expert;
/people/dolores.correa/blog/2008/07/26/first-steps-to-work-with-change-request-management-scenario
On transport group matters , you may want to visit this blog, on point no. 3
https://weblogs.sdn.sap.com/cs/junior/view/wlg/15116
Hope this helps.
Cheers
SH

Windows 2008 R2 Domain Controller (PDC) - NTP server - time showing local CMOS clock

I'm having issues setting an external source on a Windows 2008 R2 domain controller (PDC emulator role for the domain)
Here is the output showing its source is the Local CMOS clock.
C:\Windows\System32>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 1 (primary reference - syncd by radio clock)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 10.0000000s
ReferenceId: 0x4C4F434C (source name: "LOCL")
Last Successful Sync Time: 06/11/2014 15:44:15
Source: Local CMOS Clock
Poll Interval: 6 (64s)
1) I have performed the following on the DC with the PDC role:
net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org"
w32tm /config /reliable:yes
net start w32time
w32tm /query /configuration
[Configuration]
EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)
FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\System32\w32time.DLL (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NTP (Local)
NtpServer: 0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org (Local)
NtpServer (Local)
DllName: C:\Windows\System32\w32time.DLL (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
But still showing the output:
C:\Windows\System32>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 1 (primary reference - syncd by radio clock)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 10.0000000s
ReferenceId: 0x4C4F434C (source name: "LOCL")
Last Successful Sync Time: 06/11/2014 15:58:45
Source: Local CMOS Clock
Poll Interval: 6 (64s)
2. If I resync and rediscover the following error appears:
w32tm /resync /rediscover
Sending resync command to local computer
The computer did not resync because no time data was available.
3. I've also clearing the current time config, by
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
But no change, it still shows the Local CMOS clock.
4. This event is showing
Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 06/11/2014 15:43:30
Event ID: 12
Task Category: None
Level: Warning
Keywords:
User: LOCAL SERVICE
Computer: domaincontroller1
Description:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source.
It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy.
If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Time-Service" Guid="{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}" />
<EventID>12</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2014-11-06T15:43:30.465619200Z" />
<EventRecordID>77295</EventRecordID>
<Correlation />
<Execution ProcessID="256" ThreadID="2056" />
<Channel>System</Channel>
<Computer>domaincontroller1</Computer>
<Security UserID="SID" />
</System>
<EventData Name="TMP_EVENT_DOMAIN_HIERARCHY_ROOT">
</EventData>
</Event>
5. If I perform the below it appears DC2 is having problems but I'm not sure if related.
C:\w32tm /monitor
DC1.domain.local *** PDC ***[192.168.1.1:123]:
ICMP: 0ms delay
NTP: +0.0000000s offset from DC1.domain.local
RefID: 'LOCL' [0x4C434F4C]
Stratum: 1
DC2.domain.local[192.168.1.2:123]:
ICMP: 0ms delay
NTP: -110.4925481s offset from DC1.domain.local
RefID: (unspecified / unsynchronized) [0x00000000]
Stratum: 0
DC3.domain.local[192.168.2.1:123]:
ICMP: 0ms delay
NTP: -0.0256084s offset from DC1.domain.local
RefID: DC1.domain.local [192.168.1.1]
Stratum: 2
DC4.domain.local[192.168.2.4:123]:
ICMP: 0ms delay
NTP: -0.0011524s offset from DC1.domain.local
RefID: 80.84.77.86.rev.sfr.net [86.77.84.80]
Stratum: 2
Warning:
Reverse name resolution is best effort. It may not be
correct since RefID field in time packets differs across
NTP implementations and may not be using IP addresses.
Any help would be much appreciated. Thanks.
Craig Brand

I suspected some issue with AV so uninstalled.
To resolve the Access Denied I followed these steps:
stop w32time
w32tm /unregister
reboot
regsvr32 /u w32time.dll
w32tm /register
sc query w32time -- you should see that the service is set to
shared mode -- this is presumably how it should be -- if you try to start right now, you'll get the expected 1290 SID-related error
reboot
w32time should now automatically start at boot up and be running -- that was my result -- it's running as shared, started on its own, and I can do the w32tm /query commands successfully
After rebooting the time service started.
I then repeated the steps:
net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org"
w32tm /config /reliable:yes
net start w32time
w32tm /query /configuration
And all worked. I'll wait a short while to see if this fixes the issue. I also have am SA case with MS so will confirm fix when resolved.
Craig Brand

Problematic issues in installing backup domain controller on Virtual Machine

Hello,<o:p></o:p>
I have a physical domain controller - windows Server 2012 R2 Standard installed
in my domain environment and this is a first root domain controller.
I have also Hyper-V Server 2012 R2 installed and joined in that domain.
Now I want to install an additional (Backup) domain controller as a virtual
machine hosted on Hyper-V Server. So while promoting VM as a DC all actions and
steps go well but the problem arise when I press the install button at the end
of the promotion - installation gets stuck in the process of writing some
configuration files on first DC and also in the process of replication. Unfortunately
VM does not promote as a DC and it goes to restart.
The error event log with - NETLOGON source is logged on the virtual machine as
well.
Do you have some suggestions with this issue, or experience how to resolve this..
Thanks a lot in advance,
GMG
<o:p></o:p>

Now I want to install an additional (Backup) domain controller
There is no backup DC. All DCs are RW except RODCs.
I would recommend first checking the health status of the existing DC using
dcdiag command. Also, please check the IP settings in use: Please make sure that the existing DC has its primary IP address in use and that public DNS servers are set as forwarders and not in IP settings of the DC. For the new DC, please make sure
that it points to the existing DC as primary DNS server and once promoted you can see the recommendations here to update the configuration: http://social.technet.microsoft.com/wiki/contents/articles/18513.active-directory-replication-issues-basic-troubleshooting-steps-single-ad-domain-in-a-single-ad-forest.aspx
Please also disable temporary all security software in use on the DCs and make sure that needed ports for AD replication and authentication are not blocked or filtered between the DCs.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password

Can't delete defunct domain controller

I'm the admin of a software test lab. I had an Active Directory (Windows 2008 r2) domain set up mainly for DNS use on two Hyper-V VMs on separate hosts. I have had issues in the past after power outages (I don't have the budget for a UPS for
these hosts) where one or the other domain controller would become corrupt, and restoring from backup simply wouldn't work. So, I got used to rebuilding whichever one failed. I've had to do it about a dozen or so times, but when we had a power
outage last Thursday, circumstances changed.
The first DNS server came back up just fine, but the second got corrupted, again. (Pretty typical issue. It would only boot to the recovery console. Trying to use chkdsk /f would result in it telling me there were only 44 files on the C:
drive and nothing to fix.) I tried to restore it from backup, but, as usual, the host claimed it couldn't read the restore, so I deleted the VM and started over. I created a new VM and got the OS installed and updated, but I can't delete the old
DC account from the users and computer console or the config from the sites and services console. Everything tells me "directory object not found." I wound up renaming the VM and rejoining it that way, but I still can't get that old account
deleted.
What's worse is that this VM that failed was the global catalog, and AD won't let me reassign the GC role to another DC. It just doesn't do the role assignment, no error message or event log entry at all.
Anyone else run into this? Is there a fix?

Is this the link?
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
When you try with the GUI (possible since Windows 2008), is there an error message?
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

Win2008R2 SP1 Domain Controller Patching Steps

Similar Messages

Maybe you are looking for