Windows 2008 (Not R2) Domain controllers Kerberos Errors
We know the replication of the AD structure is working using repadmin /showREPL *
Which I ran again this morning and all is fine.
All 3 Domain Controllers are having Kerberos errors ?
I tried to reset the Kerberos key but the problem still persists.
This is exactly what I tried yesterday is there something I'm doing wrong ?
We have 3 Domain controllers
ch-dc1-2k8 (PDC)
ch-dc2-2k8
na-dc1-2k8
1) I stopped the Kerberos Key Distribution Center service on all 3 servers and set them to manual
2) I restarted ch-dc2-2k8 and na-dc1-2k8
3) Then I did the KLIST PURGEon
ch-dc2-2k8 and na-dc1-2k8
4) Then on ch-dc1-2k8 (PDC) I did the
netdom resetpwd /s:ch-dc1-2k8 /ud:companyname\administrator /pd:*
5) Set Kerberos Key Distribution Center service to Automatic on ch-dc1-2k8 (PDC)
6) Restarted ch-dc1-2k8 (PDC)
7) After it restarted I logged in and let it settle for 5 Minutes
8) Then I started the kerberos service on ch-dc2-2k8 and na-dc1-2k8
Am I missing something ?
Hi,
I think I have already answer this in separate case you have raised in forum.
Similar Messages
-
Replication issue Windows 2008 (not R2) FrsEvent error ?
I've had a few netlogon share issues but with help from this forum they've all gone away.
When I use the event log to look at administrative events all 3 give the same error "Access is denied" to the File replication service.
DCdiag /e gives the following errors ?
It looks like I''m actually down to just this error but its similar on all 3 Domain Controllers ?
PDC (ch-dc1-2k8)
Starting test: frsevent
There are warning or error events within the last 24 hours after the SYSVOL has been shared.
Failing SYSVOL replication problems may cause Group Policy problems.
DC2 (ch-dc2-2k8)
Starting test: FrsEvent
The event log File Replication Service on server ch-dc1-2k8.companyname.local could not be queried, error 0x5 "Win32 Error 5"
......................... CH-DC1-2K8 failed
DC3 (na-dc2-2k8)
Starting test: FrsEvent
The event log File Replication Service on server ch-dc1-2k8.companyname.local could not be queried,
error 0x5 "Win32 Error 5" ......................... CH-DC1-2K8 failed
Any ideas ?
Also I've put a test file into the scripts folder and it has NOT replicated ?Testing server: Cardiff\CH-DC2-2K8
Starting test: Replications
* Replications Check
CN=Schema,CN=Configuration,DC=companyname,DC=local has 7 cursors.
CN=Configuration,DC=companyname,DC=local has 7 cursors.
DC=companyname,DC=local has 7 cursors.
* Replication Latency Check
CN=Schema,CN=Configuration,DC=companyname,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
CN=Configuration,DC=companyname,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
DC=companyname,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
* Replication Site Latency Check
Site Settings = CN=NTDS Site Settings,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
[0x904de,v=62142,t=2015-04-23 09:16:18,g=a1d47848-fb4f-497b-a8a2-f11d40b71481,orig=20719256,local=20719256]
Elapsed time (sec) = 2264
Site Settings = CN=NTDS Site Settings,CN=Edinburgh,CN=Sites,CN=Configuration,DC=companyname,DC=local
Site
CN=NTDS Site Settings,CN=Edinburgh,CN=Sites,CN=Configuration,DC=companyname,DC=local
was skipped because it never had an ISTG running in it.
Site Settings = CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=companyname,DC=local
Site
CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=companyname,DC=local
was skipped because it never had an ISTG running in it.
Site Settings = CN=NTDS Site Settings,CN=Belfast,CN=Sites,CN=Configuration,DC=companyname,DC=local
Site
CN=NTDS Site Settings,CN=Belfast,CN=Sites,CN=Configuration,DC=companyname,DC=local
was skipped because it never had an ISTG running in it.
......................... CH-DC2-2K8 passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for CN=Schema,CN=Configuration,DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Configuration,DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... CH-DC2-2K8 passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Configuration,DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... CH-DC2-2K8 passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC CH-DC2-2K8.
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=companyname,DC=local
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=companyname,DC=local
(Configuration,Version 2)
* Security Permissions Check for
DC=companyname,DC=local
(Domain,Version 2)
......................... CH-DC2-2K8 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\CH-DC2-2K8\netlogon
Verified share \\CH-DC2-2K8\sysvol
......................... CH-DC2-2K8 passed test NetLogons
Starting test: Advertising
The DC CH-DC2-2K8 is advertising itself as a DC and having a DS.
The DC CH-DC2-2K8 is advertising as an LDAP server
The DC CH-DC2-2K8 is advertising as having a writeable directory
The DC CH-DC2-2K8 is advertising as a Key Distribution Center
The DC CH-DC2-2K8 is advertising as a time server
The DS CH-DC2-2K8 is advertising as a GC.
......................... CH-DC2-2K8 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role Domain Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role PDC Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role Rid Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role Infrastructure Update Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
......................... CH-DC2-2K8 passed test KnowsOfRoleHolders
Starting test: RidManager
ridManagerReference = CN=RID Manager$,CN=System,DC=companyname,DC=local
* Available RID Pool for the Domain is 12100 to 1073741823
fSMORoleOwner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
* ch-dc1-2k8.companyname.local is the RID Master
* DsBind with RID Master was successful
rIDSetReferences = CN=RID Set,CN=CH-DC2-2K8,OU=Domain Controllers,DC=companyname,DC=local
* rIDAllocationPool is 11100 to 11599
* rIDPreviousAllocationPool is 9100 to 9599
* rIDNextRID: 9425
......................... CH-DC2-2K8 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC CH-DC2-2K8 on DC CH-DC2-2K8.
* SPN found :LDAP/ch-dc2-2k8.companyname.local/companyname.local
* SPN found :LDAP/ch-dc2-2k8.companyname.local
* SPN found :LDAP/CH-DC2-2K8
* SPN found :LDAP/ch-dc2-2k8.companyname.local/companyname
* SPN found :LDAP/abb03237-e91b-457f-ab16-788d5dc3930e._msdcs.companyname.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/abb03237-e91b-457f-ab16-788d5dc3930e/companyname.local
* SPN found :HOST/ch-dc2-2k8.companyname.local/companyname.local
* SPN found :HOST/ch-dc2-2k8.companyname.local
* SPN found :HOST/CH-DC2-2K8
* SPN found :HOST/ch-dc2-2k8.companyname.local/companyname
* SPN found :GC/ch-dc2-2k8.companyname.local/companyname.local
......................... CH-DC2-2K8 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... CH-DC2-2K8 passed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... CH-DC2-2K8 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
CH-DC2-2K8 is in domain DC=companyname,DC=local
Checking for CN=CH-DC2-2K8,OU=Domain Controllers,DC=companyname,DC=local in domain DC=companyname,DC=local on 3 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=CH-DC2-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local in domain CN=Configuration,DC=companyname,DC=local on 3 servers
Object is up-to-date on all servers.
......................... CH-DC2-2K8 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... CH-DC2-2K8 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 04/22/2015 14:53:29
Event String: The File Replication Service is having trouble
enabling replication from CH-DC1-2K8 to
CH-DC2-2K8 for c:\windows\sysvol\domain using the
DNS name ch-dc1-2k8.companyname.local. FRS
will keep retrying.
Following are some of the reasons you would see
this warning.
[1] FRS can not correctly resolve the DNS name
ch-dc1-2k8.companyname.local from this
computer.
[2] FRS is not running on
ch-dc1-2k8.companyname.local.
[3] The topology information in the Active
Directory Domain Services for this replica has
not yet replicated to all the Domain Controllers.
This event log message will appear once per
connection, After the problem is fixed you will
see another event log message indicating that the
connection has been established.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 04/22/2015 14:53:29
Event String: The File Replication Service is having trouble
enabling replication from NA-DC1-2K8 to
CH-DC2-2K8 for c:\windows\sysvol\domain using the
DNS name na-dc1-2k8.companyname.local. FRS
will keep retrying.
Following are some of the reasons you would see
this warning.
[1] FRS can not correctly resolve the DNS name
na-dc1-2k8.companyname.local from this
computer.
[2] FRS is not running on
na-dc1-2k8.companyname.local.
[3] The topology information in the Active
Directory Domain Services for this replica has
not yet replicated to all the Domain Controllers.
This event log message will appear once per
connection, After the problem is fixed you will
see another event log message indicating that the
connection has been established.
......................... CH-DC2-2K8 failed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15 minutes.
......................... CH-DC2-2K8 passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40000004
Time Generated: 04/23/2015 09:30:54
Event String: The Kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
Administrator. The target name used was
companyname\CH-DC1-2K8$. This indicates that
the target server failed to decrypt the ticket
provided by the client. This can occur when the
target server principal name (SPN) is registered
on an account other than the account the target
service is using. Please ensure that the target
SPN is registered on, and only registered on, the
account used by the server. This error can also
happen when the target service is using a
different password for the target service account
than what the Kerberos Key Distribution Center
(KDC) has for the target service account. Please
ensure that the service on the server and the KDC
are both updated to use the current password. If
the server name is not fully qualified, and the
target domain (companyname.LOCAL) is different
from the client domain (companyname.LOCAL),
check if there are identically named server
accounts in these two domains, or use the
fully-qualified name to identify the server.
An Error Event occured. EventID: 0x40000004
Time Generated: 04/23/2015 09:30:54
Event String: The Kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
Administrator. The target name used was
companyname\NA-DC1-2K8$. This indicates that
the target server failed to decrypt the ticket
provided by the client. This can occur when the
target server principal name (SPN) is registered
on an account other than the account the target
service is using. Please ensure that the target
SPN is registered on, and only registered on, the
account used by the server. This error can also
happen when the target service is using a
different password for the target service account
than what the Kerberos Key Distribution Center
(KDC) has for the target service account. Please
ensure that the service on the server and the KDC
are both updated to use the current password. If
the server name is not fully qualified, and the
target domain (companyname.LOCAL) is different
from the client domain (companyname.LOCAL),
check if there are identically named server
accounts in these two domains, or use the
fully-qualified name to identify the server.
......................... CH-DC2-2K8 failed test systemlog
Starting test: VerifyReplicas
......................... CH-DC2-2K8 passed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=CH-DC2-2K8,OU=Domain Controllers,DC=companyname,DC=local and
backlink on
CN=CH-DC2-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
are correct.
The system object reference (frsComputerReferenceBL)
CN=CH-DC2-2K8,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=companyname,DC=local
and backlink on
CN=CH-DC2-2K8,OU=Domain Controllers,DC=companyname,DC=local are
correct.
The system object reference (serverReferenceBL)
CN=CH-DC2-2K8,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=companyname,DC=local
and backlink on
CN=NTDS Settings,CN=CH-DC2-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
are correct.
......................... CH-DC2-2K8 passed test VerifyReferences
Starting test: VerifyEnterpriseReferences
......................... CH-DC2-2K8 passed test VerifyEnterpriseReferences
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC CH-DC1-2K8 for domain companyname.local in site Cardiff
Checking machine account for DC CH-DC2-2K8 on DC CH-DC1-2K8.
* SPN found :LDAP/ch-dc2-2k8.companyname.local/companyname.local
* SPN found :LDAP/ch-dc2-2k8.companyname.local
* SPN found :LDAP/CH-DC2-2K8
* SPN found :LDAP/ch-dc2-2k8.companyname.local/companyname
* SPN found :LDAP/abb03237-e91b-457f-ab16-788d5dc3930e._msdcs.companyname.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/abb03237-e91b-457f-ab16-788d5dc3930e/companyname.local
* SPN found :HOST/ch-dc2-2k8.companyname.local/companyname.local
* SPN found :HOST/ch-dc2-2k8.companyname.local
* SPN found :HOST/CH-DC2-2K8
* SPN found :HOST/ch-dc2-2k8.companyname.local/companyname
* SPN found :GC/ch-dc2-2k8.companyname.local/companyname.local
Checking for CN=CH-DC2-2K8,OU=Domain Controllers,DC=companyname,DC=local in domain DC=companyname,DC=local on 2 servers
Object is up-to-date on all servers.
[CH-DC2-2K8] No security related replication errors were found on this DC! To target the connection to a specific source DC use /ReplSource:<DC>.
......................... CH-DC2-2K8 passed test CheckSecurityError
Testing server: Cardiff\NA-DC1-2K8
Starting test: Replications
* Replications Check
CN=Schema,CN=Configuration,DC=companyname,DC=local has 7 cursors.
CN=Configuration,DC=companyname,DC=local has 7 cursors.
DC=companyname,DC=local has 7 cursors.
* Replication Latency Check
CN=Schema,CN=Configuration,DC=companyname,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
CN=Configuration,DC=companyname,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
DC=companyname,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
* Replication Site Latency Check
Site Settings = CN=NTDS Site Settings,CN=Edinburgh,CN=Sites,CN=Configuration,DC=companyname,DC=local
Site
CN=NTDS Site Settings,CN=Edinburgh,CN=Sites,CN=Configuration,DC=companyname,DC=local
was skipped because it never had an ISTG running in it.
Site Settings = CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=companyname,DC=local
Site
CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=companyname,DC=local
was skipped because it never had an ISTG running in it.
Site Settings = CN=NTDS Site Settings,CN=Belfast,CN=Sites,CN=Configuration,DC=companyname,DC=local
Site
CN=NTDS Site Settings,CN=Belfast,CN=Sites,CN=Configuration,DC=companyname,DC=local
was skipped because it never had an ISTG running in it.
Site Settings = CN=NTDS Site Settings,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
[0x904de,v=62142,t=2015-04-23 09:16:18,g=a1d47848-fb4f-497b-a8a2-f11d40b71481,orig=20719256,local=5719216]
Elapsed time (sec) = 2265
......................... NA-DC1-2K8 passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for CN=Schema,CN=Configuration,DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Configuration,DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... NA-DC1-2K8 passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Configuration,DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... NA-DC1-2K8 passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC NA-DC1-2K8.
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=companyname,DC=local
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=companyname,DC=local
(Configuration,Version 2)
* Security Permissions Check for
DC=companyname,DC=local
(Domain,Version 2)
......................... NA-DC1-2K8 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\NA-DC1-2K8\netlogon
Verified share \\NA-DC1-2K8\sysvol
......................... NA-DC1-2K8 passed test NetLogons
Starting test: Advertising
The DC NA-DC1-2K8 is advertising itself as a DC and having a DS.
The DC NA-DC1-2K8 is advertising as an LDAP server
The DC NA-DC1-2K8 is advertising as having a writeable directory
The DC NA-DC1-2K8 is advertising as a Key Distribution Center
The DC NA-DC1-2K8 is advertising as a time server
The DS NA-DC1-2K8 is advertising as a GC.
......................... NA-DC1-2K8 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role Domain Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role PDC Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role Rid Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role Infrastructure Update Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
......................... NA-DC1-2K8 passed test KnowsOfRoleHolders
Starting test: RidManager
ridManagerReference = CN=RID Manager$,CN=System,DC=companyname,DC=local
* Available RID Pool for the Domain is 12100 to 1073741823
fSMORoleOwner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
* ch-dc1-2k8.companyname.local is the RID Master
* DsBind with RID Master was successful
rIDSetReferences = CN=RID Set,CN=NA-DC1-2K8,OU=Domain Controllers,DC=companyname,DC=local
* rIDAllocationPool is 11600 to 12099
* rIDPreviousAllocationPool is 11600 to 12099
* rIDNextRID: 11670
......................... NA-DC1-2K8 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC NA-DC1-2K8 on DC NA-DC1-2K8.
* SPN found :LDAP/na-dc1-2k8.companyname.local/companyname.local
* SPN found :LDAP/na-dc1-2k8.companyname.local
* SPN found :LDAP/NA-DC1-2K8
* SPN found :LDAP/na-dc1-2k8.companyname.local/companyname
* SPN found :LDAP/2961b38b-570f-4a35-908f-9818a8080c0d._msdcs.companyname.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/2961b38b-570f-4a35-908f-9818a8080c0d/companyname.local
* SPN found :HOST/na-dc1-2k8.companyname.local/companyname.local
* SPN found :HOST/na-dc1-2k8.companyname.local
* SPN found :HOST/NA-DC1-2K8
* SPN found :HOST/na-dc1-2k8.companyname.local/companyname
* SPN found :GC/na-dc1-2k8.companyname.local/companyname.local
......................... NA-DC1-2K8 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... NA-DC1-2K8 passed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... NA-DC1-2K8 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
NA-DC1-2K8 is in domain DC=companyname,DC=local
Checking for CN=NA-DC1-2K8,OU=Domain Controllers,DC=companyname,DC=local in domain DC=companyname,DC=local on 3 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=NA-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local in domain CN=Configuration,DC=companyname,DC=local on 3 servers
Object is up-to-date on all servers.
......................... NA-DC1-2K8 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... NA-DC1-2K8 passed test frssysvol -
Window 2008 Server Core Domain Controller JRE 6u13 installation fails
Installer used= jre-6u13-windows-x64-p.exe
ERROR
Installer : Wrapper.CreateFile failed with error 3: The system cannot find the path specified.
I tried in safe mode too.
Any ideas?
It does work on a non-domain controller.
Installer used = jre-6u13-windows-i586-p-iftw.exe
ERROR
Windows Installer: Error applying transforms. Verify that the specified transform paths are valid.
I did not check this installer against a non-domain controller.
Installer used = jre-6u13-windows-i586-p-s.exe
INSTALLED SUCCESSFULLY
I did not check this installer against a non-domain controller.
Edited by: shinywindows on Apr 10, 2009 10:34 AM
Edited by: shinywindows on Apr 10, 2009 10:41 AMI have exact the same issue with JRE 6u14 on Windows 2008. :(
Any idea?? -
Windows 2008 R2 Standard side by side error
I have a Dell Poweredge 310 running Windows 2008 R2 Standard. I have update the bios to the latest version and the bios update did take but now all of my 32bit software will not run. I receive the error “The application has failed to start because its side-by-side
configuration is incorrect. Please see the application event log or use the command-line sxstrace.exe tool for more detail”
I have looked over other posts and most have stated to install the C++ redistribution 2008. I was able to install the 64 bit version but I cannot install the 32bit version. I receive the error “The application has failed to start because its side-by-side
configuration is incorrect. Please see the application event log or use the command-line sxstrace.exe tool for more detail.”
So I am not able to install any 32bit software. I have tried to enable the WOW64 feature with the command DISM /online /enable-feature/featurename:ServerCore-WOW64 but get this Error: 0x800f080c Feature name ServerCore-WOW64 is unknown.
I have also tried to use this command to setup WOW64 start /w ocsetup ServerCore-WOW64 I get this “The specified windows component could not be found: ServerCore-WOW64.
I have looked at the .Net 3.5 that comes installed in the Windows Features and it is installed. I do not want to uninstall and reinstall the feature because it will take down the AD and I really do not want to rebuild the AD
Is there some setting I am missing?Airwikg
You can refer the following similar thread solution to do the further troubleshooting:
SideBySide errors event ID 33
https://social.technet.microsoft.com/Forums/windows/en-US/db028072-a3b7-46f5-981e-b40d9f7d0fa8/sidebyside-errors-event-id-33?forum=w7itproappcompat
The application has failed to start because its side-by-side configuration is incorrect’ error related to MMC.EXE programs and weird cause & simple solution
http://blogs.msdn.com/b/cesardelatorre/archive/2011/03/27/the-application-has-failed-to-start-because-its-side-by-side-configuration-is-incorrect-error-related-to-mmc-exe-programs-and-weird-cause-amp-simple-solution.aspx
Can any kind expert out here help me diagnose what is wrong under event viewer. Details below.
http://answers.microsoft.com/en-us/windows/forum/windows_7-performance/can-any-kind-expert-out-here-help-me-diagnose-what/8b542c41-a8b6-4f52-adf4-efdfb2378a1a
More information:
About Side-by-Side Assemblies
https://msdn.microsoft.com/en-us/library/windows/desktop/ff951640%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
I’m glad to be of help to you!
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Windows 2012 R2 default domain controllers policy set to enforced
Hi Guys,
So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2 and so far everything is running ok. Had a few problems relating to orphaned DC's but have cleared this up now. However, i'm now trying to get to grips with using group policy. When
i migrated, the old policy settings seemed to have come across and things seem to be still locked down ok, in relation to certain OUs. I run a network at our local college so i have a student container which applies a lock-down policy. All these GPOs where
previously setup by someone else.
I setup a test network at home before i did the said migration and am now comparing some group policy settings, namely the default ones, and i have noticed that default domain controllers policy has been set to enforced on my newly migrated domain. At home
on my test server i see it is not enforced by default and am wondering why this is? I have been reading up but i can't find anything that tells me it should be enforced but wary to disable this setting. The students return on Monday so i don't want to mess
it up at this stage.
One thing that i did find odd is when i first opened up the GPO's, i was prompted with a message which stated that the policies in the sysvol folder where not consistent with the ones in AD so i followed its recommendation to update.
Any advise you guys have on this would be greatly appreciated.
David> So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2
> and so far everything is running ok.
This does NOT touch any GPOs, so your GPOs are not "migrated" or
something like that - they are still what they were before.
> enforced on my newly migrated domain. At home on my test server i see it
> is not enforced by default and am wondering why this is?
"A sever misunderstanding of how group policy inheritance and link order
works" is the closest reason I see for this. The DDCP is linked to
"Domain Controllers", and as long as you do not create subordinate OUs
there (which I've never seen) and block inheritance on them, there's no
reason to enforce.
To add my experience from the field: When I see enforced GPOs, in most
cases this enforcement is not required. People simply use it because
they do not understand "link order".
> One thing that i did find odd is when i first opened up the GPO's, i was
> prompted with a message which stated that the policies in the sysvol
> folder where not consistent with the ones in AD so i followed its
> recommendation to update.
That's fairly ok and nothing to hassle about.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Windows 2008 R2 cross domain shared/security folder permissions
I have a Windows 2008 R2 server located in the example.com domain. I have a folder that's shared out and it needs to be accessed by a group of machines that are not in the same domain, they are part of a different domain.
I made sure to give Everyone FULL Share and FULL NTFS Security permissions but that didn't make any difference. This used to work fine on Windows 2003 server. Something must have changed with the way that Windows 2008 handles share/security permissions.
A temporary workaround is to create a local user on the Windows 2008 R2 server and have the users access the share using those credentials.
I need it to work without asking the users for any credentials.Hi,
Please enable Guest account, assign Everyone group the permission to access the sharing folder and then add the Anonymous SID to the Everyone access
token.
To enable anonymous access on a local workstation or server computer
1.Open Local Security Settings. Click
Start, click Control Panel, double-click
Administrative Tools, and then double-click Local Security Policy.
2.In the console tree, double-click Local Policies, and then click
Security Options.
3.In the details pane, right-click
Network access: Let Everyone permissions apply to anonymous users, and then click
Properties.
4.On the Local Security Settings tab, click
Enabled, and then click OK.
For more information, please refer to the following Microsoft TechNet article:
Anonymous user cannot access a shared folder
http://technet.microsoft.com/en-us/library/cc755781(WS.10).aspx
Regards,
Arthur Li
TechNet
Subscriber Support
If you are
TechNet Subscription
user and have any feedback on our support quality, please send your feedback
here .
Arthur Li
TechNet Community Support -
Windows Time Configuration - 2 Domain Controllers
I have 2 Domain Controllers. One is 2012 and the other is 2003. I recently added the 2012 server and configured it to be the authoritative time server by following this article...
https://support.microsoft.com/kb/816042
I see events on some clients that indicate they got their time from the older 2003 server. Should both DCs be configured this way or do I need to do something on the 2003 server so it is no longer authoritative?Dang it, I knew I left something out! Thanks for reminding me.
On the 2003 server check HKEY_Local_MACHINE\SYSTEM\CurrentControlSet\service\W32Time\Parameters
If the Type key is NT5DS then it should be adhering to the default hierarchy, ie: pulling time from the PDCE.
If instead it reads "NTP" then the 2003 DC still thinks it is authoritative. You can manually change it back to NT5DS and restart the Windows Time service.
Another option is to run "w32tm /query /source" on the 2003 system to see what it is using as the current time source.
If the time source is not the PDCE, you can run the commands from the following technet:
http://technet.microsoft.com/en-us/library/cc738042(v=ws.10) -
Windows could not complete the installation recovery error message with HP recovery discs
While doing a system recovery on an HP G72-b50US notebook using HP purchased recovery DVD's, the reboot "Welcome" screen always (tried 5 recovery attempts from scratch) generates the error message "Windows could not complete the installation. To install Windows on theis compuiter, restart the installation". any attempt at a reboot, even into safe mode, regenerates this same error message. How does this get fixed to allow completion of the installation process?
I wish I could tell you.
I also used the HP factory recovery disks on an 8200 Elite CMT. I used them once before with no problem.
The second time was a show-stopper. The recovery process would ask for all 4 disks, then the recovery installation would begin, reboot continue on, everything normal.
Then on the last reboot, when the recovery program stated it was configuring windows, it just quit and stated Windows could not complete the installation.
I made sure that I had absolutely nothing connected to the PC except the keyboard, mouse and monitor.
The only thing I can possibly think of was that I installed a Radeon HD 6570 video card which I replaced the Radeon HD 6350 card with. However, both cards are supported in the PC, and I cannot remember if I did the restore with the 6350 the last time or the 6570.
Now, the reason the ISO file will work is because this is a plain and simple Microsoft Windows 7 ISO file--the very same one that you download when you purchase W7 online from the very same download site.
It is not PC-specific and will install on any PC in the world.
A recovery disk is PC-specific, and is a very complicated mish-mash of programs, drivers, operating system, all customized for your specific model PC. Even something like installing a new hard drive or memory can foul up the works.
The downside of using the plain MS disk is the only programs and drivers you can install are the ones found on your notebook's support and driver page.
The upside of using the plain W7 installation, is you normally end up with a better performing PC, free of bloatware and unnecessary running processes.
For someone like me, it is a non-issue, but for others, they may miss some of the included software.
But that is better than having a computer that is of no value with no operating system installed, wouldn't you agree?
Paul -
Windows 2008 not shutting down Oracle
When I shutdown my Windows 2008 server that has Oracle 10.2.0.4, it does not shutdown the database like it should.
I have used Oracle Administration Assitant for Windows and I have set the Startup/Shutdown Configuration to "Shutdown instance when service is stopped" and that the Mode is "Shutdown Immediate".
In the oradim.log, I never see a shutdown command when I restart the server. I only see a shutdown command when I manually stop the service.
I've gone into the Registry and I have set ORA_<SID>SHUTDOWNTIMEOUT at 240, but I don't think that it even attempts the shutdown immediate much less waits 4 minutes for it to work.
I'm wondering of this is a bug in Oracle or Windows....JEDBA@Marathon wrote:
When I shutdown my Windows 2008 server that has Oracle 10.2.0.4, it does not shutdown the database like it should.
I have used Oracle Administration Assitant for Windows and I have set the Startup/Shutdown Configuration to "Shutdown instance when service is stopped" and that the Mode is "Shutdown Immediate".
In the oradim.log, I never see a shutdown command when I restart the server. I only see a shutdown command when I manually stop the service.
I've gone into the Registry and I have set ORA_<SID>SHUTDOWNTIMEOUT at 240, but I don't think that it even attempts the shutdown immediate much less waits 4 minutes for it to work.
I'm wondering of this is a bug in Oracle or Windows....I've never really looked at oradim.log, and since I don't have much on Windows any more ... but it sounds like you may be jumping to conclusions based on looking at the wrong log. What does the alert log say? Does it look like a clean shutdown? Is it having to perform crash recovery on startup? -
One of the SAN logical disk of windows 2008 not discovered as logical disk in SCOM 2007R2.
Hi,
Anyone can advise where should i check to make the discovery work. i have rename/restart the health service folder/scom agent on the problem windows 2008 server. it still cannot discover the logical disk which make the monitoring of logical disk not possible.Hi,
Microsoft introduced 'SAN Policy' in Win 2008 (Enterprise and Datacenter Edition only) which causes SAN disks to not be available on startup by default, as a protection mechanism. You have to use the Diskpart.exe utility to set the policy of the disks
on that server to make them come up after a restart.
More info on similar sort of thing here.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Windows does not have a constructor: 244 error message
I'm using CS6 for the first time to process some RAW files using the Photoshop Automate>Fit Image script. When I tried opening one RAW image into Photoshop to create an action I got the following error message:
"ReferenceError: Windows does not have a constructor: 224"
Never seen that in all my years of using Photoshop. What's causing this and how do I fix it?No older versions installed.
I was however able to do the following:
From Bridge I ran Photoshop>Batch. In that menu I selected an action I created in a previous version of PS that included the Fit Image script. I clicked ok and everything ran perfectly. The problem is I can't run Fit Image directly from Photoshop using conventional methods.
As for my system info, I am running the following:
Windows 7
Quad core i7-3610QM @ 2.3GHz
8GB of RAM
nVIDIA GeForce 650M - 2GB
750GB HD
Could there be any other troubleshooting solution besides running reinstall? I want to exhaust all efforts before going down that path.
Thanks. -
Windows could not finish configuring the system error after sysprep /generalize
Hi
I just installed Windows 7 Ultimate RTM off from technet and as always I do make use of WIM images on having them deployed to my home PC's
I was able to have it installed on a clean machine and once the wizard appeared i immediately entered Audit mode (shift+ctrl+f3) and the usual I loaded all of the software i need to pre-install after I was done I Immediately loaded sysprep and had it with the generalized option
now this is where the problem begins....... after it restarts during the "Setup is starting Services" screen it gives me a message box error saying "Windows could not finish configuring the system. To attempt resume configuration, restart the computer" and once I press ok it jsut restarts and gives the same error again.
This does not happen when i dont select the generalize option in sysprep.
Anyone who had the same issues?I now have the ACTUAL SOLUTION to this problem. This solution will actually tell you exactly what registry key is causing your sysprep to fail, so then you don't have to slowly install
every program until you find the problem -- especially since this didn't work for me because my problem has been intermittent.
This issue is caused by certain registry keys that are either:
a) Larger than 8kb
b) Set with incorrect permissions
c) Corrupt in some way
For me, the problem was intermittent (same registry key would sometimes cause the issue and sometimes not - must be corrupt sometimes) so it was impossible to tell what program was doing it. Luckily, there is a log you can look at that will tell you
exactly what registry key is erroring out. Here are the steps for getting the log you need to see:
When you see the error message, do the following:
1.) Push Shift+F10 to get to a command prompt
2.) Navigate to C:\windows\Panther
3.) Find the Setup.etl file and find a way to copy this file off of the system (I copied it to the D:\ partition and used Ghost to gather that partition and get the file off)
4.) Copy the setup.etl file from the corrupted system to another computer that has Windows 7. Put it on the root of C:\ for easiest access.
5.) Open a Command Prompt on the Windows 7 computer.
6.) Navigate to the root of C:\ (or wherever you saved the file)
7.) Type "tracerpt setup.etl -o logfile.csv"
8.) Close the command prompt and open up logfile.csv in your text editor of choice.
9.) Look through the log file (towards the end probably) for messages that say "Failed to process reg key or one of it's decendants" For me, the exact eror looked like this: "Failed to process reg key or one of its descendants: [\REGISTRY\MACHINE\SOFTWARE\ESET\ESET
Security\CurrentVersion\Plugins\01000200\Profiles\@My profile]" If you search for "reg key" or "failed to process" you should find the failure.
10.) Remove this software from your image, or find out how to get the registry key that is failing to work properly.
After this, you should be able to properly identify any problem keys and remove/workaround them on your image.
I see this post is about a year old at this point, but after searching the internet for weeks, I had high hopes for this solution. It seemed to go well, but the logfile.csv doesn't have the word "fail" in it anywhere...no "reg key", nothing. Did a sysprep
install with an unattend.xml answer file that seems to be working properly, but hangs at "Setup is starting services." forever.
At this point, I'm pretty convinced that the problem is a service or reg key error from one of the apps I installed during audit mode, but I can't tell which app/service is causing the problem.
Are there any other methods for viewing failed services or registry errors that would cause the sysprep install process to hang at "Setup is starting services."?
Willing to post logfile.csv from the "tracerpt setup.etl -o logfile.csv" command, or other log files such as setupact.log, etc. Nothing popped out at me.
For now I think I'll start making multiple .wim files with only certain software installed to try to discover which application is the culprit...just wish there was an easier way. -
Windows 2008 not allocating more than 8GB of memory to all processes
Hi,
We have a web server with windows 2008 R2 on Amazon-EC2. Recently we have upgraded our server from one instance type to a higher one. New one has around 68GB of memory. How ever overall allocation of memory is not going above 8GB.
When I looked at w3wp in process explorer, I have observed "\KernelObjects\MaximumCommitCondition" and "KernelObjects\LowMemoryCondition" kernel events. I could not understand the reason for "low memory" events in spite
of the 60GB of available memory.
At any point of time %committedBytesInUse counter is showing only 5%.
Can someone help me in making me understand on what is going wrong here?
-Sudhakar
Sudhakarwas VM? was the VM configured with dynamic memory?
Best,
Howtodo -
After OS upgrade to windows 2008 R2 x64 Dispatcher stopped by error
Hello everyone,
I am facing a problem after OS upgrade (from Windows Server 2003 Standard R2 x64 to Windows Server 2008 Standard R2 x64), Solution Manager 7.0 EhP1 on DB2 v9.7 FP4.
When I start SAP using mmc console after awhile Dispatcher stops.
When I wrote R3trans -dx in CMD:
D:\usr\sap\ASM\DVEBMGS00\exe>r3trans -dx
This is r3trans version 6.14 (release 701 - 19.01.11 - 11:44:00).
unicode enabled version
r3trans finished (0000).
The contents of [dev_w0|http://pokazywarka.pl/p9udr9/], [std_dispatcher.out|http://pokazywarka.pl/wgpsfx/] and[ std_server0.out|http://pokazywarka.pl/a5xsp0/]
I found an error in dev_w0:
[IBM][CLI Driver] SQL1531N The database alias "ASM" could not be found in the db2ds
C &+ driver.cfg configuration
And the Note: 1564507 - DB6: SQL1531N alias "<DBNAME>" not found in db2dsdriver.cfg
Contents of db2cl.ini:
; Comment lines start with a semi-colon.
[ASM]
Database=ASM
Protocol=tcpip
Hostname=sapsolman
Servicename=5912
[COMMON]
Diagpath=
sapsolman\sapmnt\ASM\SYS\global\db6\db2dump
Someone have any ideas how to fix Dispatcher ? I can attach any log files, if necessary.
Best regards,
KamilHi,
Well unfortunately, do not think its possible to fix it. We once had a similar situation with SAP system on MSSQL on Windows Server 2008. It was only an ABAP system so after a lot of hit and trial we got the system up. And would not get any support from SAP incase of future errors.
But for Solution manager this really would be complex because of the Java part. Do you have the backup before OS upgrade?
Would recommend a restore and migration as supported by SAP.
Regards,
Srikishan -
2008 R2 SP1 Domain Controllers Local Audit Settings
Question for the forum -- On a DC should the Audit settings in Local Security Policy (under administration tools) match the Audit settings that are set in the Default Domain Controller
policy in Active Directory?
My default domain controller policy has a lot of stuff set for auditing -- when I look at the local policy it shows "No Auditing" -- I can't change it as I would expect
When I run RSOP.MSC I see that the DC is getting its auditing settings from the Default Domain Controller Policy.
When I look at the event log -- I would expect to see more events being logged -- and I don't. Its logging events in the security log -- but I don't see anything for account management activities where it set to success & failure
in the default domain controller security policy.
Thanks.Hi,
Did you enable Advanced Audit Policy Configuration? If yes,
The audit policy under Computer Configuration\Polices\Windows Settings\Security Settings\Local Policy will not work.
I recommend you to run command
auditpol.exe /get /category:*to
check the audit policy. If account management policy do not applied, we could check if the following file exists:
Windows\SYSVOL\sysvol\domain name\Policies\ {6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\ Microsoft NT\ audit.csv
If yes, we could delete it and then refresh the group policy.
For more detailed information about
Audit Policy, please refer to the following link:
Getting the Effective Audit Policy in Windows 7 and 2008 R2
http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx
Best Regards,
Erin
Maybe you are looking for
-
Sequential vs random disc access - is LR more of one than the other?
I'm deciding on a new build for photoediting and based on what I've read will be going with some SSD drives (one for OS/apps, one for the LR catalog, cache, previews and LR/PS work area). Edited photos will be taken off the SSD for long term storage
-
Hello, I have a site that has a T1 - I need to reserve the bandwidt for all internet traffic to 90% of that T1, while allowing the voice traffic which is on a specific port to use all 100% of the bandwidth. Please advise on to the best way to achieve
-
why isn't msg in hd
-
Hi all, Is Essbase Excel add ins still available with V11 Cheers
-
Multiple LDAP directories ...
Another day, another Livecycle bug ... I have added a new domain/directory to Livecycle. The synchronization works and the users are correctly added to edcprincipalentity. Yet whenever i try to logon to workspace i get An error occurred during the op