Windows 2012 Domain Controllers and RC4
We are using Qualysguard as our vulnerability scanner, and we are getting QID 38601, "SSL/TLS use of weak RC4 cipher". While we have created a GPO to disable RC4 on the 2008/2012 servers, we have 4 Domain Controllers that we haven't included in
the GPO yet. I'm wondering if disabling RC4 on 2012 Domain Controllers will cause problems that I'm not forseeing right now.
Does someone out there have any knowledge of this through experience or otherwise?
Thanks in advance.
Hi,
As far as I know, disable RC4 cipher usage in SSL/TLS wouldn’t affect Kerberos related services on Domain Controller, since Key Distribution Center (KDC) just use the available encryption type to encrypt tickets that requested from our clients with
RC4_HMAC_NT.
More information for you:
Disabling RC4 Cipher KB2868725 relation to Kerberos
https://social.technet.microsoft.com/Forums/sqlserver/en-US/836eba80-a070-486d-98b2-69b6325cb40e/disabling-rc4-cipher-kb2868725-relation-to-kerberos?forum=winserversecurity
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Similar Messages
-
We have a program called Audit Wizard that we used with Windows 2003 that monitored all clients and alerted my department when a program was installed/uininstalled. since upgrading to windows server 2008R2, the program no longer works correctly.
So we are wondering if it is possible for Windows 2008R2 Domain Controllers, running at a 2008R2 forest and domain level) to be able to audit when a programs are installed/uninstalled on clients and send alerts to our Admins?
If so, How?
Thanks in advance for your help!
Pete MaciasHi Pete,
>>So we are wondering if it is possible for Windows 2008R2 Domain Controllers, running at a 2008R2 forest and domain level) to be able to audit when a programs are installed/uninstalled on clients and send alerts to our Admins?
As far as I know, group policy can't help us do this. If you are interested, we can take a look at System Center Operation Manager and ask for suggestions in the following SCOM forum.
Operations Guide for System Center 2012 - Operations Manager
https://technet.microsoft.com/en-us/library/hh212887.aspx
System Center Operation Manager
https://social.technet.microsoft.com/Forums/systemcenter/en-US/home?category=systemcenteroperationsmanager
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Installing a Windows 2012 Domain Controller into a 2000/2003 domain with Exchange 2003
Hello,
I have a client that we are planning to migrate to 2012 over time. They currently have a Windows 200 DC and 2 member servers running Windows 2003, one of which is running Exchange 2003.
We first are going to introduce a 2012 server into the domain and my plan was to DCPromo the 2003 server that isn't running Exchange and raise domain level to 2003 and then demote the 2000 server. I was then going to install the
2012 server into the domain and make it a backup Domain Controller for the time being and leave the newly promoted Windows 2003 server as the primary Domain Controller with all the roles and global catalog. My question is will Exchange 2003 still function
normally in this scenario?
I've been doing research and read some things about Exchange 2003 not working with 2012 Domain Controllers, but I was thinking if the 2003 is still the primary, it might work. We will eventually migrate to 2003, they just don't want to
do it all at once, due to costs and other issues.
Thanks.I didn't ask if it was supported, I just wanted to know if Exchange 2003 would continue
to function if the Windows 2003 DC still held all the FSMO roles and Global Catalog.
A not supported situation means that it is a situation where Microsoft made no testing or do not guarantee that you can operate with no problems. Following a not supported scenario could be done but is on your own risk.
If it won't, can the 2012 server be a member server in the 2003 AD? The 2000
DC it is replacing, just shares files on the network in addition to being the lone AD server
Yes, it can be a member server.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Windows 2012 - SYSVOL replication and NETLOGON share
After reading 100 tons of articles and links i decided to open this thread.
I know today is 1st of april, but unfortunately for me this is not a joke.
given:
two 2003 DC's - physical servers
two 2008 DC's - VM's on ESX 5.1 hosts
two 2012 DC's - VM's on ESX 5.5 hosts
domian fucntional level 2003
situation:
we plan to decom the 2003's.
The 2008 DC's are in place since a while and working ok.
We plan to upgrade to 2012 and here it is where the trouble starts.
Firstly, I couldn't, by any means, to promote 2012 as DC's until i moved all the FSMO roles from the 2003 DC's to the 2008 DC's.
After lots of work with the network team we made all the right connections opened the firewalls, made the DCDIAG and DNS tests and the only problem reported are the SYSVOL replication and NETLOGON share.
I tried all the tools out there to check the replication and the last one is Microsoft's AdRplstatus Tool which made me think that either Microsoft makes fun of me, either i'm the dumbest windows admin on this planet.
This tool reports that there are NO ERRORS in replicating SYSVOL, but when i run the command 'net share' the 'domain.com\sysvol\scripts' is not there. Further more checking, i try to access '\\domain.com\sysvol' - directory under which i must find the 'policies'
and 'scripts' folders and, Sysvol is empty - obviously these are present when i do this check from the 2008 DC's or 2003 DC's.
Is there a known issue for these problems regarding 2012 and ESX 5.5 ? - still, i doubt it.
DCDIAG /TEST:DNS
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = dc-p01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: dc-p01
Starting test: Connectivity
......................... dc-p01 passed test Connectivity
Doing primary tests
Testing server: dc-p01
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... dc-p01 passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : domain
Running enterprise tests on : domain.com
Starting test: DNS
Test results for domain controllers:
DC: dc-p01.domain.com
Domain: domain.com
TEST: Dynamic update (Dyn)
Warning: Failed to delete the test record dcdiag-test-record i
n zone domain.com
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 184.134.0.97 (<name unavailable>)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 184.134.0.97
dc-p01 PASS
PASS PASS PASS WARN PASS n/a
......................... domain.com passed test DNS
The PTR record query for 1.0.0.127 is still there but i will change it manually, my DNS is set as primary to point to the server itself by it's IP and not 127.0.0.1.
still, that DNS server with that error is a linux DNS, but all my DC's have DNS role on and fully replicating and working, including the 2012's.
DCDIAG:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = dc-p01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: dc-p01
Starting test: Connectivity
......................... dc-p01 passed test Connectivity
Doing primary tests
Testing server: dc-p01
Starting test: Advertising
......................... dc-p01 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... dc-p01 passed test FrsEvent
Starting test: DFSREvent
......................... dc-p01 passed test DFSREvent
Starting test: SysVolCheck
......................... dc-p01 passed test SysVolCheck
Starting test: KccEvent
......................... dc-p01 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... dc-p01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... dc-p01 passed test MachineAccount
Starting test: NCSecDesc
......................... dc-p01 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\dc-p01\netlogon)
[dc-p01] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... dc-p01 failed test NetLogons
Starting test: ObjectsReplicated
......................... dc-p01 passed test ObjectsReplicated
Starting test: Replications
REPLICATION-RECEIVED LATENCY WARNING
dc-p01: Current time is 2014-04-01 10:25:09.
DC=ForestDnsZones,DC=mydomain,DC=lan
Last replication received from DC-P02 at
2014-03-31 15:22:40
DC=DomainDnsZones,DC=mydomain,DC=lan
Last replication received from DC-P02 at
2014-03-31 15:22:40
CN=Schema,CN=Configuration,DC=mydomain,DC=lan
Last replication received from DC-P02 at
2014-03-31 15:22:40
CN=Configuration,DC=mydomain,DC=lan
Last replication received from DC-P02 at
2014-03-31 15:25:50
DC=mydomain,DC=lan
Last replication received from DC-P02 at
2014-03-31 15:22:40
......................... dc-p01 passed test Replications
Starting test: RidManager
......................... dc-p01 passed test RidManager
Starting test: Services
......................... dc-p01 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0xA004001B
Time Generated: 04/01/2014 09:26:35
EvtFormatMessage failed, error 15027 the message resource is present
but the message is not found in the string/message table.
(Event String (event log = System) could not be retrieved, error
0x3ab3)
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 09:27:52
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID fdc (C:\Windows\s
ystem32\taskhost.exe).
A warning event occurred. EventID: 0xA004001B
Time Generated: 04/01/2014 09:31:14
EvtFormatMessage failed, error 15027 the message resource is present
but the message is not found in the string/message table.
(Event String (event log = System) could not be retrieved, error
0x3ab3)
A warning event occurred. EventID: 0xA004001B
Time Generated: 04/01/2014 09:32:13
EvtFormatMessage failed, error 15027 the message resource is present
but the message is not found in the string/message table.
(Event String (event log = System) could not be retrieved, error
0x3ab3)
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 09:32:53
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID c18 (C:\Windows\s
ystem32\taskhost.exe).
A warning event occurred. EventID: 0xA004001B
Time Generated: 04/01/2014 09:35:33
EvtFormatMessage failed, error 15027 the message resource is present
but the message is not found in the string/message table.
(Event String (event log = System) could not be retrieved, error
0x3ab3)
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 09:37:54
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID 950 (C:\Windows\s
ystem32\taskhost.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 09:42:54
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID 5c4 (C:\Windows\s
ystem32\taskhost.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 09:47:55
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID ee0 (C:\Windows\s
ystem32\taskhost.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 09:52:56
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID e48 (C:\Windows\s
ystem32\taskhost.exe).
A warning event occurred. EventID: 0xA004001B
Time Generated: 04/01/2014 09:53:30
EvtFormatMessage failed, error 15027 the message resource is present
but the message is not found in the string/message table.
(Event String (event log = System) could not be retrieved, error
0x3ab3)
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 09:57:57
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID a20 (C:\Windows\s
ystem32\taskhost.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 10:02:58
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID 1bc (C:\Windows\s
ystem32\taskhost.exe).
A warning event occurred. EventID: 0xA004001B
Time Generated: 04/01/2014 10:06:04
EvtFormatMessage failed, error 15027 the message resource is present
but the message is not found in the string/message table.
(Event String (event log = System) could not be retrieved, error
0x3ab3)
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 10:07:58
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID 14c (C:\Windows\s
ystem32\taskhost.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 10:12:59
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID 90c (C:\Windows\s
ystem32\taskhost.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 10:18:00
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID 558 (C:\Windows\s
ystem32\taskhost.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 04/01/2014 10:23:01
Event String:
DCOM was unable to communicate with the computer ca-p01.domain.com
n using any of the configured protocols; requested by PID f00 (C:\Windows\s
ystem32\taskhost.exe).
A warning event occurred. EventID: 0xA004001B
Time Generated: 04/01/2014 10:23:56
EvtFormatMessage failed, error 15027 the message resource is present
but the message is not found in the string/message table.
(Event String (event log = System) could not be retrieved, error
0x3ab3)
......................... dc-p01 failed test SystemLog
Starting test: VerifyReferences
......................... dc-p01 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : mydomain
Starting test: CheckSDRefDom
......................... mydomain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... mydomain passed test CrossRefValidation
Running enterprise tests on : domain.comn
Starting test: LocatorCheck
......................... domain.comn passed test LocatorCheck
Starting test: Intersite
......................... domain.comn passed test Intersite
in Active DIrecotry Sites adn Services when i try to replicate FROM a valid SYSVOL Domain Controller towards my 2012 DC i get this:
The following error ocurred during the attempt to contact the domain controller dc-p01:
Directory object not found
i cannot upload picture yet because Ms ...didn t verified me.Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\dc-p01\netlogon)
[dc-p01] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... dc-p01 failed test NetLogons
Starting test: ObjectsReplicated
......................... dc-p01 passed test ObjectsReplicated
Starting test: Replications
REPLICATION-RECEIVED LATENCY WARNING
dc-p01: Current time is 2014-04-01 10:25:09.
DC=ForestDnsZones,DC=mydomain,DC=lan
Last replication received from DC-P02 at
2014-03-31 15:22:40
DC=DomainDnsZones,DC=mydomain,DC=lan
Last replication received from DC-P02 at
2014-03-31 15:22:40
To perform non-authoritative restore of sysvol, you set the Burflag value & system will automatically tries to sync contents of sysvol with its replicating partner DC. Its not mandatory to select any particular DC for sysvol replication becasue in a
same domain, all DC's shares the same sysvol content.
Sometime, if initialization of FRS doesn't start, you have to follow the below article. Its also applicable to windows 2008 even as long as your using FRS for replication.
http://support.microsoft.com/kb/290762/en-us
To force the replication of sysvol using cmdline, refer below link.
http://blogs.technet.com/b/justinturner/archive/2007/04/27/quick-tip-force-frs-replication.aspx
Its better to find out what went wrong with the overall AD domain infra that sysvol has not been able to contact its partner for sysvol replication using depth assessment of the domain. It can be the network,firewall,antivirus or in-built firewall port issues
which might have broken sysvol replication.
http://msmvps.com/blogs/ad/archive/2008/06/03/active-directory-health-checks-for-domain-controllers.aspx
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
Downgrade of Windows 2012 r2 to Windows 2012 Domain Service Active Directory
I have an uncertainty. we used adprep /forest and adprep /domain tools on windows 2012 R2 to update the domain active directory. But after promoting a domain controller to windows 2012 R2, we realized that a tool we use to authenticate computer account not
supported for domain controllers in Windows 2012 R2. Here comes the question, I can to install direct and promote a domain controller windows 2012 without running the adprep /forest and adprep /domain tools of Windows 2012?.
I hope be clearly.
tks.
migrationsHello,
as others mentioned there is no problem to promote a Windows Server 2012 into the domain as the functional level is fine for this.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights. -
Can A Windows 2000 Client Join A Windows 2012 Domain ?
I have set up a Server 2012 VM that I have configured as a DC. The desktop environment consists of Windows 7, Windows XP and a few Windows 2000 machines. All desktops can JOIN the 2012 domain, but when I try to add domain users to any of the
Windows 2000 (SP4) workstations, it fails with the error "The trust relationship between this workstation and the primary domain failed".
Unjoining the workstation from the domain (or going into ADUC and deleting the Win 2000 computer from the domain) and trying again yields the same result. I do not have this problem when the Windows 2000 machines are joined to a Server 2008 R2 domain.
At this point, I'm leaning towards setting it up as a 2008 R2 DC, and moving to a 2012 DC once we have weaned ourselves off of the Windows 2000 desktops. Is there any hope of getting things to work with a 2012 DC from the start ?Hi,
Based on my research, Windows 2000 client is not supported for Windows 2012 DC.
Windows client and Windows Server operating systems that are supported to join Windows Server 2012 domains
The following Windows client and Windows Server operating systems are supported for domain member computers with domain controllers that run Windows Server 2012:
Client operating systems: Windows 8, Windows 7, Windows Vista, Windows XP
Computers that run Windows 8 are also able to join domains that have domain controllers that run earlier version of Windows Server, including Windows Server 2003 or later. In this case however, some Windows 8 features may require additional configuration or
may not be available. For more information about those features and other recommendations for managing Windows 8 clients in downlevel domains, see
Running Windows 8 member computers in Windows Server 2003 domains.
Server operating systems: Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 R2, Windows Server 2003
Cataleya Li
TechNet Community Support -
Autodiscover, domain controllers, and certificate errors
I have just deployed and Exchange 2013 server in one of my sites. I'm having tons of issues with it, but one issue I'm having trouble thinking through goes like this:
All users have email addresses that are [email protected] Domain.com is our internal domain name and also a public domain. Now, in a Windows environment, if you were to nslookup domain.com within our network it
will resolve to any one of the domain controllers. On our infrastructure master DC there is an IIS website, with SSL, that handles certificate services for our internal CA.
Here's my problem: When a user opens Outlook and autodiscover attempts to find their Exchange connection info it first tries to reach the site
https://domain.com/autodiscover/autodiscover.xml. If that PC happens to resolve domain.com to the DC that has our certificate services website on it then the Outlook client sends a certificate error.
If the client is prior to Outlook 2013, the mailbox configuration just halts and throws an error.
What do I do to prevent this?Hi,
Yes, we can have the following “switchers”
PreferLocalXML
ExcludeHttpRedirect
ExcludeHttpsAutoDiscoverDomain
ExcludeHttpsRootDomain
ExcludeScpLookup
ExcludeSrvRecord
ExcludeLastKnownGoodUR
Thanks,
Simon Wu
TechNet Community Support -
Change license to Windows 2012 R2 Essentials and Windows 2012 R2 Standard
Hi,
I'm working for a small company (10 users). We have 2 servers; 1 is a normal file server, domain controller etc.; the second is dedicated for running a financial application. We bought and installed new hardware but with so called 'Technet licenses'.
Obviously we need to buy proper licenses. I have 2 questions :
1. Am I correct in buying 1 Windows 2012 R2 Essentials license, 1 Windows 2012 R2 Standard license and 10 CALs ?
2. Can I just install these licenses 'over' the existing 'Technet licenses' ?
Any help will be greatly appreciated.
Ronald RuijtenbergI would purchase one Server Standard license, install it as a hypervisor on the server, then add to VMs. First one is Server with the Essentials role, the second to run your financial application. You can do this on one physical box and you
only have to purchase one copy of Server Standard.
Larry Struckmeyer[MVP] If your question is answered please mark the response as the answer so that others can benefit. -
Windows 2012 Domain Controller NETLOGON error
We have Sonicwall
firewall user authentication System active since last two months. We have Windows 2012 Active directory server setup
with around 1400 user account created. These accounts were created by using following PowerShell scripts
Import-Module ActiveDirectory
#Import CSV
$csv = @()
$csv = Import-Csv -Path C:\Users\Administrator\Desktop\"College User Ac Password Details"\FE\civil.csv
FOREACH ($Person in $csv) {
$name = $Person.UserName
$displayname = $Person.Name
$path = "OU=FE,DC=comp,DC=com"
$password = $Person.Password
$enabled = $True
$changePW = $False
$description="CIVIL"
new-ADUser -SamAccountName $name -Name $name -Description $description -DisplayName $displayname -Path $path -AccountPassword (ConvertTo-SecureString $password -AsPlainText -force) -Enabled $enabled -ChangePasswordAtLogon $changePW -PassThru}
Above script reads an CSV file with username and passwords and create user accounts on Active Directory.
But since today we are facing issue during authentication process. We are unable to logon to Directory server. When Sonicwall firewall tries to authenticate an user, it logged-out same user. When I checked Event logger on Windows Active Directory server it
shows following message.
The dynamic registration of the DNS record 'ForestDnsZones.comp.com. 600
IN A 192.168.0.12' failed on the following DNS server:
DNS server IP address: 216.37.64.6
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain controller, this record must be registered in DNS.
USER ACTION
Determine what might have caused this failure, resolve the problem, and initiate
registration of the DNS records by the domain controller. To determine what might have
caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and
Support Center. To initiate registration of the DNS records by this domain
controller, run 'nltest.exe /dsregdns' from the command prompt on the domain
controller or restart Net Logon service. Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: DNS bad key.
Above log entry talks about DNS issue. But I did non configured any DNS server on this machine.Authentication was working fine for last
two months , but suddenly from today we are facing above issue. Kindly help me out in resolving this issue.hi,
Im not sure of you setup and don't understand where your sonic wall comes in.
The error with the DNS is that the server is trying to register its DNS entries in the server with the public IP address
216.37.64.6 which I am assuming is your ISP's DNS server?
How is the DNS configured on your domain controller? The domain controller should point to it'self as it's preffered DNS server.
Regards,
Denis Cooper
MCITP EA - MCT
Help keep the forums tidy, if this has helped please mark it as an answer
Blog: http://www.windows-support.co.uk
Twitter: LinkedIn: -
Prepare 2003 Forest/Domain for 2008 R2 or 2012 Domain Controllers
Hi,
I would be grateful if you could help me with this:
We have a single Forest/Single Domain structure which is managed by 4 Windows Server 2003 Std Edition. We are now trying to add a Server 2008 R2 as a domain controller. I have followed lots of articles on MS and other website with regards to preparing the
Forest and domain before promoting the new server and here is what I got so far:
Schema master - Windows 2003 SE
FFL/DFL both set to 2003
Run Adprep32.exe (found it on 2008 R2 disc) /forestprep and the outcome was:
lDAPDisplayName "uidNumber" defined for object "CN=VintelauidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the lDAPDisplayName value uidNumber and resolve this inconsistency. Then run adprep again.
==============================================================================
OID "1.3.6.1.1.1.1.0" defined for object CN=Vintela-uidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.0" and resolve this inconsistency. Then run adprep again.
==============================================================================
lDAPDisplayName "gidNumber" defined for object "CN=Vintela-gidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the lDAPDisplayName value gidNumber and resolve this inconsistency. Then run adprep again.
==============================================================================
OID "1.3.6.1.1.1.1.1" defined for object CN=Vintela-gidNumber,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.1" and resolve this inconsistency. Then run adprep again.
==============================================================================
lDAPDisplayName "gecos" defined for object "CN=Vintela-gecos,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the lDAPDisplayName value gecos and resolve this inconsistency. Then run adprep again.
==============================================================================
OID "1.3.6.1.1.1.1.2" defined for object CN=Vintela-gecos,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.2" and resolve this inconsistency. Then run adprep again.
==============================================================================
lDAPDisplayName "unixHomeDirectory" defined for object "CN=Vintela-homeDirectory,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the lDAPDisplayName value unixHomeDirectory and resolve this inconsistency. Then run adprep again.
==============================================================================
OID "1.3.6.1.1.1.1.3" defined for object CN=Vintela-homeDirectory,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.3" and resolve this inconsistency. Then run adprep again.
==============================================================================
lDAPDisplayName "loginShell" defined for object "CN=VintelaloginShell,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk" conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the lDAPDisplayName value loginShell and resolve this inconsistency. Then run adprep again.
==============================================================================
OID "1.3.6.1.1.1.1.4" defined for object CN=Vintela-loginShell,CN=Schema,CN=Configuration,DC=Domain,DC=co,DC=uk conflicts with the schema extensions needed for Windows Server 2008 R2.
[Status/Consequence]
Adprep will not extend your existing schema.
[User Action]
Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.4" and resolve this inconsistency. Then run adprep again.
On the Schema master, run AD Schema, MMC and deactivated the object for Vintela. run the adprep32 /forestprep again and still the same result.
Would you please advise what else can/must be done? anyone knows anything on Vintela (Quest VAS) and how to get rid of it?
thanks for your help in advance.Hi,
Thanks for your post.
In this case, the most cause may be the OIDS are in conflict with the 2008 /forestprep. Could you please let me know if the forest functional level is 2003? If not, please raise it to 2003.
For the information about how to raise functional level, please refer to the articles as below:
What Are Active Directory Functional Levels?
http://technet.microsoft.com/en-us/library/cc787290(WS.10).aspx
Raise the Domain Functional Level
http://technet.microsoft.com/en-us/library/cc753104.aspx
Raise the Forest Functional Level
http://technet.microsoft.com/en-us/library/cc730985.aspx
What is the Impact of Upgrading the Domain or Forest Functional Level?
http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx
Besides, for the best practice, we can back up all domain controllers’ system state for the unexpected issues. Here is one article related to backup Active Directory.
Backing up Active Directory
http://technet.microsoft.com/en-us/library/cc961924.aspx
I hope this information is helpful for you. If there is anything that requires further clarification, please don’t hesitate to let me know.
Best regards,
Ann
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
Difference between Windows NT domain registry and Active Directory registry
What are the difference(s) ?
Frank, thanks for your response :)
I want WebSphere Application Server to take advantage of a directory service. There are multiple options available for a directory service.
In my configuration the requirement is to make WebSphere Application server to use Microsoft's Active Directory.
While I was going through (WebSphere) documentation, I see following note.
" With Windows NT domain registry support for Windows 2000 and 2003 domain
controllers, WebSphere Application Server only supports Global groups that are the Security type. It is recommended that you use the Active Directory registry support rather than a Windows NT domain registry if you use Windows 2000 and 2003 domain controllers
because the Active Directory supports all group scopes and types. The Active Directory also supports a nested group that is not support by Windows NT domain registry. The Active Directory is a centralized control registry."
You can find the above note in this link (somewhere after 7th line)
http://www-01.ibm.com/support/knowledgecenter/SSAW57_7.0.0/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/csec_localos.html?cp=SSAW57_7.0.0%2F3-11-5-1-0-0
Does it mean that they are recommending to use Active Directory over Windows NT (which is an older approach) with windows server 2000 or windows server 2003 because Active directory is
advanced ?
I was under the impression that, Active Directory was started with Microsoft Windows Server 2003 and Windows NT registry was used till Windows 2000 server.
After going through above links,
Windows NT registry in an old method. However, it is compatible with Windows Server 2000 and Windows server 2003 but it is recommended to use Active directory with Windows Serve 2003 as it is more advanced. And the same is recommended in WebSphere documentation
(I am aware that support for Windows Server 2000 is over and only extended support is available for Windows Server 2003 however this is to clear doubt). Is my understanding correct ? And does windows server 2000 also support both i.e we can use either Windows
NT registry or Active directory and similarly, Either of them (Windows NT or Active Directory) could be used with Windows Server 2003 ?
And if I got it correct, Is Windows NT and Active Directory, both directory service offering from Microsoft? While NT being an old method and Active Directory being a new/advanced approach ? -
Bit locker on Windows 2012 r2 AD And Win 8.1 Client
Can anyone give guidelines/articles for configuring Bit locker on Windows 2012 r2 AD With Win 8.1 Client
I am looking for detailed directions on backing up Bit Lo. & TPM recovery key to ADHello,
please start with
https://technet.microsoft.com/en-us/library/dn383581.aspx and
https://technet.microsoft.com/en-us/library/jj592683.aspx?f=255&MSPPError=-2147217396
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter: -
Windows 2012 answer file and DVD drive letter
Hi
my question is about applying unattend XML file into a Wim file. I have read other thread here but still I can't get it to work. so here is the situation:
I have installed windows 2012 then I have SYSPREPed it and then I created a WIM file with DISM tool and then I have a very simple answer file. I use DISM to mount the image and then use DISM /apply-unattend to push my answerfile into my WIM file. now
the issue is, when I load this image into a VM using DISM tool, everything goes fine and when the server comes up for the first time I see the language setting page asking for "Country or region" and "App Language" and "keyboard layout"
when I hit next , it asks for license agreement and after confirming that one, I can login to windows. How I can hide those 2 windows. my small answer files is :
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="windowsPE">
<component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SetupUILanguage>
<UILanguage>en-US</UILanguage>
<WillShowUI>Never</WillShowUI>
</SetupUILanguage>
<InputLocale>en-US</InputLocale>
<SystemLocale>en-US</SystemLocale>
<UILanguage>en-US</UILanguage>
<UserLocale>en-US</UserLocale>
</component>
<component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<UserData>
<AcceptEula>true</AcceptEula>
</UserData>
</component>
</settings>
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<TimeZone>Mountain Standard Time</TimeZone>
</component>
</settings>
<settings pass="oobeSystem">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<TimeZone>Mountain Standard TIme</TimeZone>
</component>
</settings>
<cpi:offlineImage cpi:source="wim:c:/win2012/install.wim#Windows Server 2012 R2 SERVERSTANDARD" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>
can somebody please let me know what am I doing wrong? I was assuming after applying unattanded xml file, when I do DISM /apply-image it gonna use my answer file....
I have one more question as well:
in 2012, I change DVD drive letter from D to Z and then I sysprep it. in target VM when I load my image, DVD drive is D again.
I guess when sysprep generalize everything, DVD drive get detected again and windows assign first available letter to it. my second question is : is there any way to make drive letter setting stays the same in target computer?
Your help is much appreciated!Hi,
Where did you put the answer file? Windows has several places to check the files, you can refer to the following article, notice Implicit Answer File Search Order.
Windows Setup Automation Overview
http://technet.microsoft.com/en-in/library/hh824950.aspx
For DVD drive letter, I think you can assign it via a script with diskpart command:
Assign, change, or remove a drive letter
http://technet.microsoft.com/en-in/library/cc757491(v=ws.10).aspx#BKMK_CMD
Include a Custom Script in a Windows PE Image
http://technet.microsoft.com/en-us/library/cc766521(v=ws.10).aspx
Hope this helps. -
Difference between domain controllers and group policy objects in GPMC
Hello,
Am in confusion, someone can tel me the difference between
1.Domain controllers>default domain controller policy and
2.Group policy object>default domain controller policy
In Group policy management console and also i would like know where to define these categories. I normally use second option.
I have attached screenshot for your information.
regards,
Dharanesh,This first/upper item is a link to the GPO, the second/lower item is the actual GPO.
(notice the link, has a shortcut arrow showing)
by default, when you double-click on a link, a message will display which says "you have clicked on a link....." and the messagbox offers a checkbox for "do not display this message again..."
Effectively they are equivalent to a shortcut-to-a-file vs. the actual file.
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Windows 2012 storage server and tier with external SSD disks
Hi
My query is in case I have one SAN storage with SSD and FC disks connected to Windows 2012 storage server, will Windows be able to manage Tier between two types of disks if the volumes are properly assigned and formated?
RegardsHi
My query is in case I have one SAN storage with SSD and FC disks connected to Windows 2012 storage server, will Windows be able to manage Tier between two types of disks if the volumes are properly assigned and formated?
Regards
Short answer: No, not automatically. Long answer: Yes, it can be done but with some tricks. First you'll have to make your SAN export LUs built from flash and from spindles. At least one of each (see URL below). Then you'll have to build storage spaces (even
clustered but that's not officially supported for non-SAS disks) from them.
See:
Configure Tiering with Windows Server 2012 R2
http://blogs.technet.com/b/askpfeplat/archive/2013/10/21/storage-spaces-how-to-configure-storage-tiers-with-windows-server-2012-r2.aspx
Both LUs would have non-SSD type reported so you'll have manually assign types with PowerShell what's flash and what's spindle.
"Notice that the SSD devices were detected as SSD media. However, in this case the physical drives show as unknown.
If yours are not detected like in this example, they should be set correctly which can be done using PowerShell. "
Hope this helped :)
StarWind VSAN [Virtual SAN] clusters Hyper-V without SAS, Fibre Channel, SMB 3.0 or iSCSI, uses Ethernet to mirror internally mounted SATA disks between hosts.
Maybe you are looking for
-
Problem with telnet on solaris 9
Hi all, I have a problem with telnet on my sun fire v440 server with solaris 9 system, whenever I telnet to this server as a normal user ,after entering the username and password ,the user environment will switch to root. but i have checked the 'id'
-
How to get PS CC and LR 5 to download???
adobe tech support told me to delete PS CC and LR 5 then reinstall them to hopefully fix a problem. what do i do to download these again??? CC window in menubar says both 'up to date' and website download does not work either
-
Scanner crashes. CanoScan 9000F, 13" rMBP, OS 10.8.4
Hi – The hardware/software: 13" Retina MacBook Pro running OS 10.8.4 CanoScan 9000F scanner, using MP Navigator 3.1 The problem: MP Navigator 3.1 crashes whenever I try to scan film - specifically in the Grayscale color mode. Whenever I try to scan f
-
Does anyone know if a tablespace can be altered to allow for automatic segment space management? For example, the "segment space management auto" feature? This is created by default in 10g, but I have converted an 8i DB to 10g, and they are all set t
-
Installation stuck, almost finished, can't cancel? mac osx 10.6.8
I've just purchased Creative Cloud, the installation is stuck nearly at the end. I can't cancel it. it's been about half an hour now just showing the blue line running but not going any further. it doesn't show up on the force quit menu either. how