Windows 2012 - SYSVOL replication and NETLOGON share

Similar Messages

• DSGETDCNAME advertising test failing. SYSVOL and NETLOGON shares not replicating. Please help!!!

  Hello all. We are currently running a Windows Server 2003 ADDC as a virtual machine on a Windows Server 2012 host using Hyper-V. We have recently added a second Windows Server 2012 ADDC also as a Hyper-V VM. I promoted the 2k12 to a DC, transferred all FMOS
  roles, and tested AD replication. All AD data was replicated fine. However a DCDIAG (the results of which I have attached to this post) show a few errors.
  First off, it is failing the advertising test. This is more than likely due to a DNS error. Unfortunately, I can not seem to find the error within the DNS to resolve it. 
  Secondly, it is failing the KccEvent test; also seeming as a DNS related error.
  Thirdly, both SYSVOL and NETLOGON shares were not successfully replicated. This is likely the basis for the other issues. Without these successfully replicated, I can not demote the 2K3 server; which is the goal in the end, to replace the old server with
  the new. 
  I am willing to try just about anything, so any suggestions would be greatly appreciated. As for what I have tried, I have tried a non-authoritative restore using burr flags with no success. I CAN ping both DCs from each other ensuring connectivity. All
  users can currently log on to the server (due to the fact that the 2K3 server is still running and still holds the SYSVOL and NETLOGON shares).
  Once again, any help would be greatly appreciated! Thank you in advance!
  DCDIAG Output:
  Directory Server Diagnosis
  Performing initial setup:
  Trying to find home server...
  Home Server = RETIRED2012
  * Identified AD Forest.
  Done gathering initial info.
  Doing initial required tests
  Testing server: Default-First-Site\RETIRED2012
  Starting test: Connectivity
  ......................... RETIRED2012 passed test Connectivity
  Doing primary tests
  Testing server: Default-First-Site\RETIRED2012
  Starting test: Advertising
  Warning: DsGetDcName returned information for
  \\retired1.RetireFirst.local, when we were trying to reach
  RETIRED2012.
  SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
  ......................... RETIRED2012 failed test Advertising
  Starting test: FrsEvent
  There are warning or error events within the last 24 hours after the
  SYSVOL has been shared. Failing SYSVOL replication problems may cause
  Group Policy problems.
  ......................... RETIRED2012 passed test FrsEvent
  Starting test: DFSREvent
  ......................... RETIRED2012 passed test DFSREvent
  Starting test: SysVolCheck
  ......................... RETIRED2012 passed test SysVolCheck
  Starting test: KccEvent
  An error event occurred. EventID: 0xC0000827
  Time Generated: 08/09/2013 22:08:34
  Event String:
  Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
  A warning event occurred. EventID: 0x80000677
  Time Generated: 08/09/2013 22:10:02
  Event String:
  Active Directory Domain Services attempted to communicate with the following global catalog and the attempts were unsuccessful.
  An error event occurred. EventID: 0xC0000466
  Time Generated: 08/09/2013 22:10:06
  Event String:
  Active Directory Domain Services was unable to establish a connection with the global catalog.
  ......................... RETIRED2012 failed test KccEvent
  Starting test: KnowsOfRoleHolders
  ......................... RETIRED2012 passed test KnowsOfRoleHolders
  Starting test: MachineAccount
  ......................... RETIRED2012 passed test MachineAccount
  Starting test: NCSecDesc
  ......................... RETIRED2012 passed test NCSecDesc
  Starting test: NetLogons
  Unable to connect to the NETLOGON share! (\\RETIRED2012\netlogon)
  [RETIRED2012] An net use or LsaPolicy operation failed with error 67,
  The network name cannot be found..
  ......................... RETIRED2012 failed test NetLogons
  Starting test: ObjectsReplicated
  ......................... RETIRED2012 passed test ObjectsReplicated
  Starting test: Replications
  ......................... RETIRED2012 passed test Replications
  Starting test: RidManager
  ......................... RETIRED2012 passed test RidManager
  Starting test: Services
  ......................... RETIRED2012 passed test Services
  Starting test: SystemLog
  A warning event occurred. EventID: 0x00001695
  Time Generated: 08/09/2013 22:06:48
  Event String:
  Dynamic registration or deletion of one or more DNS records associated with DNS domain 'RetireFirst.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
  A warning event occurred. EventID: 0x000003F6
  Time Generated: 08/09/2013 22:06:49
  Event String:
  Name resolution for the name _ldap._tcp.Default-First-Site._sites.dc._msdcs.RetireFirst.local. timed out after none of the configured DNS servers responded.
  A warning event occurred. EventID: 0x00001696
  Time Generated: 08/09/2013 22:07:44
  Event String:
  Dynamic registration or deregistration of one or more DNS records failed with the following error:
  A warning event occurred. EventID: 0x000003F6
  Time Generated: 08/09/2013 22:07:51
  Event String:
  Name resolution for the name retired1.RetireFirst.local timed out after none of the configured DNS servers responded.
  A warning event occurred. EventID: 0x00001695
  Time Generated: 08/09/2013 22:08:23
  Event String:
  Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.RetireFirst.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
  A warning event occurred. EventID: 0x00001695
  Time Generated: 08/09/2013 22:08:35
  Event String:
  Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.RetireFirst.local.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
  An error event occurred. EventID: 0x0000041E
  Time Generated: 08/09/2013 22:08:45
  Event String:
  The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
  An error event occurred. EventID: 0x00000423
  Time Generated: 08/09/2013 22:08:53
  Event String:
  The DHCP service failed to see a directory server for authorization.
  A warning event occurred. EventID: 0x000003F6
  Time Generated: 08/09/2013 22:10:04
  Event String:
  Name resolution for the name isatap timed out after none of the configured DNS servers responded.
  A warning event occurred. EventID: 0x000003F6
  Time Generated: 08/09/2013 22:10:08
  Event String:
  Name resolution for the name e45ad288-70ff-4d9e-adf9-3035e459e126._msdcs.RetireFirst.local timed out after none of the configured DNS servers responded.
  A warning event occurred. EventID: 0x000003F6
  Time Generated: 08/09/2013 22:10:21
  Event String:
  Name resolution for the name _ldap._tcp.Default-First-Site._sites.dc._msdcs.RetireFirst.local. timed out after none of the configured DNS servers responded.
  An error event occurred. EventID: 0x00000423
  Time Generated: 08/09/2013 22:11:14
  Event String:
  The DHCP service failed to see a directory server for authorization.
  An error event occurred. EventID: 0x0000041E
  Time Generated: 08/09/2013 22:13:45
  Event String:
  The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
  ......................... RETIRED2012 failed test SystemLog
  Starting test: VerifyReferences
  ......................... RETIRED2012 passed test VerifyReferences
  Running partition tests on : ForestDnsZones
  Starting test: CheckSDRefDom
  ......................... ForestDnsZones passed test CheckSDRefDom
  Starting test: CrossRefValidation
  ......................... ForestDnsZones passed test
  CrossRefValidation
  Running partition tests on : DomainDnsZones
  Starting test: CheckSDRefDom
  ......................... DomainDnsZones passed test CheckSDRefDom
  Starting test: CrossRefValidation
  ......................... DomainDnsZones passed test
  CrossRefValidation
  Running partition tests on : Schema
  Starting test: CheckSDRefDom
  ......................... Schema passed test CheckSDRefDom
  Starting test: CrossRefValidation
  ......................... Schema passed test CrossRefValidation
  Running partition tests on : Configuration
  Starting test: CheckSDRefDom
  ......................... Configuration passed test CheckSDRefDom
  Starting test: CrossRefValidation
  ......................... Configuration passed test CrossRefValidation
  Running partition tests on : RetireFirst
  Starting test: CheckSDRefDom
  ......................... RetireFirst passed test CheckSDRefDom
  Starting test: CrossRefValidation
  ......................... RetireFirst passed test CrossRefValidation
  Running enterprise tests on : RetireFirst.local
  Starting test: LocatorCheck
  ......................... RetireFirst.local passed test LocatorCheck
  Starting test: Intersite
  ......................... RetireFirst.local passed test Intersite

  Thank you for your response first of all! And in response:
  1. "Retired1" is the 2k3 ADDC / DNS Server. It currently has a different IP than the 2K12 Server. Verified with ipconfig/all.
  2. I set 2K12 to only 2K3 for DNS; no external ISP servers or itself listed. Registered DNS, restarted netlogon; no success.
  3. ipconfig/all for 2K12 server here:
  Windows IP Configuration
  Host Name . . . . . . . . . . . . : RETIRED2012
  Primary Dns Suffix . . . . . . . : RetireFirst.local
  Node Type . . . . . . . . . . . . : Hybrid
  IP Routing Enabled. . . . . . . . : No
  WINS Proxy Enabled. . . . . . . . : No
  DNS Suffix Search List. . . . . . : RetireFirst.local
  Ethernet adapter Ethernet:
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
  Physical Address. . . . . . . . . : 00-15-5D-01-33-0A
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  Link-local IPv6 Address . . . . . : fe80::8159:4f0c:4071:d780%12(Preferred)
  IPv4 Address. . . . . . . . . . . : 172.21.69.246(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.192
  Default Gateway . . . . . . . . . : 172.21.69.250
  DHCPv6 IAID . . . . . . . . . . . : 251663709
  DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-74-BE-C0-00-15-5D-01-33-0A
  DNS Servers . . . . . . . . . . . : 172.21.69.240
  NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.{8317BEC2-079A-4846-B6B2-1AE3E2784691}:
  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  4. The 2K12 is a GC; yes.
  Thanks again and hopefully we can work this out!
  Seems like you have/had a server named "retired1" with the same IP address as the new 2012 server? (if this is a old server) remove all references to it in DNS
  Make sure that on the 2012 server in the TCP/IP DNS Settings, you only point to the 2003 DC for DNS (Not it self for now, and no external ISP DNS servers) - Run ipconfig /registerdns and restart the netlogon service on the 2012 server.
  Can you post and unedited output of ipconfig /all from the 2012 server?
  Did you make the 2012 server a global catalog? (if not I would recommend that)http://support.microsoft.com/kb/296882
  Seems like you have/had a server named "retired1" with the same IP address as the new 2012 server? (if this is a old server) remove all references to it in DNS
  Make sure that on the 2012 server in the TCP/IP DNS Settings, you only point to the 2003 DC for DNS (Not it self for now, and no external ISP DNS servers) - Run ipconfig /registerdns and restart the netlogon service on the 2012 server.
  Can you post and unedited output of ipconfig /all from the 2012 server?
  Did you make the 2012 server a global catalog? (if not I would recommend that)http://support.microsoft.com/kb/296882
  Seems like you have/had a server named "retired1" with the same IP address as the new 2012 server? (if this is a old server) remove all references to it in DNS
  Make sure that on the 2012 server in the TCP/IP DNS Settings, you only point to the 2003 DC for DNS (Not it self for now, and no external ISP DNS servers) - Run ipconfig /registerdns and restart the netlogon service on the 2012 server.
  Can you post and unedited output of ipconfig /all from the 2012 server?
  Did you make the 2012 server a global catalog? (if not I would recommend that)http://support.microsoft.com/kb/296882

• Want to modify sysvol and netlogon share permissions

  HI all,
  As per security concern we need to remove the everyone from share permission on SYSVOL and NETLOGON share.......can anyone provide me the suggesstion for the same...or any documented article which says that how to do it or what precaution showld we take....
  Or if the permission is by design has any document or Kb article which says the permission should not be changed.
  Appreciate any help.
  Thanks........
  Ahmed Gaziyani Enterprise Admin.

  Hello,
  If you remove such permission then you will have issues in appliance of group policies and netlogon scripts on your users. Users should have at least read permission on the SYSVOL folder so that group policies and netlogon scripts will be applied.
  More if you ask them here: http://social.technet.microsoft.com/Forums/en-US/winserverGP/threads
  This
  posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Microsoft Student
  Partner 2010 / 2011
  Microsoft Certified
  Professional
  Microsoft Certified
  Systems Administrator: Security
  Microsoft Certified
  Systems Engineer: Security
  Microsoft Certified
  Technology Specialist: Windows Server 2008 Active Directory, Configuration
  Microsoft Certified
  Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
  Microsoft Certified
  Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
  Microsoft
  Certified Technology Specialist: Windows 7, Configuring
  Microsoft
  Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
  Microsoft Certified
  IT Professional: Enterprise Administrator
  Microsoft Certified IT Professional: Server Administrator
  Microsoft Certified Trainer

• Monitor Sysvol and netlogon Share availability on domain controllers

   I need to monitor availability of sysvol and Netlogon shares on all our domain controllers around 20 in all.
  What is the best way for us to do that.
  I have seen scripts that monitor share availability but that would mean i create 40 such 2 times script monitors , that is too much of manual work..
  Any advice.

  I looked into the discovered Inventory (SysVol for windows 2008)  I see all theobjects 
  But the path shows as dc01.domain.com\dc01\sysvol
  However we never get notified when the sysvol share is inaccessible.
  We have had a number of cases when the DC is online but somehow we cant access the sysvol share
  We need a monitor to alert us in such a case;
  I modified the our script to include %computername%  and targeted it to all dC's  group,
  Dim oAPI, oBag
  Set oAPI = CreateObject("MOM.ScriptAPI")
  Set oBag = oAPI.CreatePropertyBag()
  Set objFSO = CreateObject("Scripting.FileSystemObject")
  strFile = "\\%computername%\sysvol\"
  If objFSO.FolderExists(strFile) Then
  Call oBag.AddValue("Status","Exist")
  Call oAPI.Return(oBag)
  Else
  Call oBag.AddValue("Status","NotExist")
  Call oAPI.Return(oBag)
  End If
  However the monitor alerted critical  immediately.
  How should the monitor be.
  I though if i put \\%computername%\sysvol\ in the script and send it to all the DC's group then it will start monitoring as \\dc01\sysvol etc

• Pls help: SYSVOL and NetLOGON share not ready after creating first Windows 2012 DC

  Hi all,
  I'm setting up the first DC on Windows server 2012 following steps here (social.technet.microsoft.com/wiki/contents/articles/12370.step-by-step-guide-for-setting-up-a-windows-server-2012-domain-controller.aspx).
  DCdiag gives following errors in SysVolCheck, services, and Netlogons while the rest of tests are successful:
  ------------------------- cut here --------------------------
        Test omitted by user request: DFSREvent
        Starting test: SysVolCheck
           * The File Replication Service SYSVOL ready test
           [ORT001C] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
           The registry lookup failed to determine the state of the SYSVOL.  The error returned  was 0x43
           "The network name cannot be found.".  Check the FRS event log to see if the SYSVOL has successfully been
           shared.
           ......................... ORT001C failed test SysVolCheck
  [snipped]
       Starting test: Services
          Could not open Remote ipc to [ort001c.ad1.mydomain]: error 0x43 "The network name cannot be found."
          ......................... ORT001C failed test Services
  [snipped]
        Starting test: NetLogons
           * Network Logons Privileges Check
           [ORT001C] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
           ......................... ORT001C failed test NetLogons
  ------------------------- cut here --------------------------
  Some information collected:
  ----------------------- cut here --------------------
  - net share
  Share name   Resource                        Remark
  C$           C:\                             Default share
  IPC$                                         Remote IPC
  ADMIN$       C:\Windows                      Remote Admin
  NETLOGON     C:\Windows\SYSVOL\sysvol\ad1.mydomain\SCRIPTS
  Logon server share
  SYSVOL       C:\Windows\SYSVOL\sysvol        Logon server share
  The command completed successfully.
  dnslint /ad /s <DC IP>:   no error
  - nltest /server:ort001c.ad1.mydomain /dsgetdc:AD1.MYDOMAIN
             DC: \\ort001c.ad1.mydomain
        Address: \\192.168.1.77
       Dom Guid: 9faa9bae-faae-42be-bf45-05a1d77b2bf0
       Dom Name: ad1.mydomain
    Forest Name: ad1.mydomain
   Dc Site Name: Default-First-Site-Name
  Our Site Name: Default-First-Site-Name
          Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET WS DS_8 DS_9
  The command completed successfully
  - repadmin /showrepl
  Repadmin: running command
  /showrepl against full DC localhost
  Default-First-Site-Name\ORT001C
  DSA Options: IS_GC
  Site Options: (none)
  DSA object GUID: ff4092a2-62d8-4b83-a4d4-fec6920d8535
  DSA invocationID: ff4092a2-62d8-4b83-a4d4-fec6920d8535
  - netdom query /domain:AD1 fsmo
  Schema master              
  ort001c.ad1.mydomain
  Domain naming master
         ort001c.ad1.mydomain
  PDC                        
  ort001c.ad1.mydomain
  RID pool manager           
  ort001c.ad1.mydomain
  Infrastructure master
        ort001c.ad1.mydomain
  The command completed
  successfully.
  ----------------------- cut here --------------------
  Besides, DFSR instead of FRS is used.
  Sorry that I'm newbie to Windows and afraid if I've anything missed.   Would anyone please help?
  Thanks a lot.
  /ST Wong

  Hi all,
  Thanks for your advice.  I updated following settings and restart the server:
  - IPv6: set both address/DNS to dynamic
  - IPv4: Add 127.0.0.1 as alternate DNS server
  Same error reported in dcdiag.   Besides, the server name used by nslookup is Unknown.
  I'm afraid if I've something missed :(
  Sorry for the trouble caused.  Thanks a lot.
  Regards,
  /ST Wong
  --------------- cut here ---------------
  C:\Users\Administrator>ipconfig /all
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : ort001c
     Primary Dns Suffix  . . . . . . . : ad1.mydomain
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : ad1.mydomain
  Ethernet adapter Ethernet:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connectio
  n
     Physical Address. . . . . . . . . : 00-50-56-AA-1C-6D
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::dd03:5eec:b396:a323%12(Preferred)
     IPv4 Address. . . . . . . . . . . : 192.168.1.77(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 192.168.1.1
     DHCPv6 IAID . . . . . . . . . . . : 302010454
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-57-D0-61-00-50-56-AA-1C-6D
     DNS Servers . . . . . . . . . . . : 192.168.1.77
        127.0.0.1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.{598372EC-A809-493B-8E25-004F6D4655E2}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Teredo Tunneling Pseudo-Interface:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  C:\Users\Administrator>nslookup ort001c.ad1.mydomain
  Server:  UnKnown
  Address:  192.168.1.77
  Name:    ort001c.ad1.mydomain
  Address:  192.168.1.77
  C:\Users\Administrator>nslookup ad1.mydomain
  Server:  UnKnown
  Address:  192.168.1.77
  Name:    ad1.mydomain
  Address:  192.168.1.77
  PS C:\Users\Administrator> dcdiag
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     Home Server = ort001c
     * Identified AD Forest.
     Done gathering initial info.
  Doing initial required tests
     Testing server: Default-First-Site-Name\ORT001C
        Starting test: Connectivity
           ......................... ORT001C passed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\ORT001C
        Starting test: Advertising
           ......................... ORT001C passed test Advertising
        Starting test: FrsEvent
           ......................... ORT001C passed test FrsEvent
        Starting test: DFSREvent
           ......................... ORT001C passed test DFSREvent
        Starting test: SysVolCheck
           [ORT001C] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
           ......................... ORT001C failed test SysVolCheck
        Starting test: KccEvent
           ......................... ORT001C passed test KccEvent
        Starting test: KnowsOfRoleHolders
           ......................... ORT001C passed test KnowsOfRoleHolders
        Starting test: MachineAccount
           Could not open pipe with [ORT001C]:failed with 67: The network name cannot be found.
           Could not get NetBIOSDomainName
           Failed can not test for HOST SPN
           Failed can not test for HOST SPN
           ......................... ORT001C passed test MachineAccount
        Starting test: NCSecDesc
           ......................... ORT001C passed test NCSecDesc
        Starting test: NetLogons
           [ORT001C] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
           ......................... ORT001C failed test NetLogons
        Starting test: ObjectsReplicated
           ......................... ORT001C passed test ObjectsReplicated
        Starting test: Replications
           ......................... ORT001C passed test Replications
        Starting test: RidManager
           ......................... ORT001C passed test RidManager
        Starting test: Services
           Could not open Remote ipc to [ort001c.ad1.mydomain]: error 0x43 "The network name cannot be found."
           ......................... ORT001C failed test Services
        Starting test: SystemLog
           A warning event occurred.  EventID: 0x00001796
              Time Generated: 01/14/2014   10:26:57
              Event String:
              Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and t
  his server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
           A warning event occurred.  EventID: 0x00000090
              Time Generated: 01/14/2014   10:40:03
              Event String: The time service has stopped advertising as a good time source.
           ......................... ORT001C passed test SystemLog
        Starting test: VerifyReferences
           ......................... ORT001C passed test VerifyReferences
     Running partition tests on : ForestDnsZones
        Starting test: CheckSDRefDom
           ......................... ForestDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... ForestDnsZones passed test CrossRefValidation
     Running partition tests on : DomainDnsZones
        Starting test: CheckSDRefDom
           ......................... DomainDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... DomainDnsZones passed test CrossRefValidation
     Running partition tests on : Schema
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Schema passed test CrossRefValidation
     Running partition tests on : Configuration
        Starting test: CheckSDRefDom
           ......................... Configuration passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Configuration passed test CrossRefValidation
     Running partition tests on : ad1
        Starting test: CheckSDRefDom
           ......................... ad1 passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... ad1 passed test CrossRefValidation
     Running enterprise tests on : ad1.mydomain
        Starting test: LocatorCheck
           ......................... ad1.mydomain passed test LocatorCheck
        Starting test: Intersite
           ......................... ad1.mydomain passed test Intersite

• Issue with Windows Explorer search function and network shares.

  Hello all,
  I hope all is well, I am having a very odd issue.
  One user when they access a particular network drive, and try to use the explorer search function it prompts the following error 
  Runtime error
  Program:
  This application has requested the runtime to terminate in a unusual way. Please contact application team for support.
  I have checked the event viewer on both the user machine and server hosting the share, not events show up regarding the issue.
  I have tried with the user machine in safe mode with networking, and the issue still occurs
  It of course is not telling which application or program is causing this.
  I have confirmed all windows updates are up to date. 
  I have gone to the windows search in services and swapped the 1 for a 0, that opened up three of the four network drives for search
  the last one is still causing this error.
  User computer is windows 7 professional 64 bit
  server is windows server 2012 64 bit.
  I am at a total loss as to why this is happening on two machines out of ten.
  any help or suggestions would be most appreciated.
  Cheers
  Josh

  Hi Josh,
  What operation did the user act and how to use the explorer search function to cause the issue? Please check if the issue still exists after the user does the same action locally.
  You could refer to the thread below to troubleshoot the issue:
  Windows Explorer crashes continually on Windows 7 with Visual C++ Runtime error
  http://answers.microsoft.com/en-us/windows/forum/windows_7-files/windows-explorer-crashes-continually-on-windows-7/70c333ba-0cd3-4308-96ce-e81931d123e3
  Best Regards,
  Mandy 
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Bit locker on Windows 2012 r2 AD And Win 8.1 Client

  Can anyone give guidelines/articles for configuring Bit locker on Windows 2012 r2 AD With Win 8.1 Client
  I am looking for detailed directions on backing up Bit Lo. & TPM recovery key to AD

  Hello,
  please start with
  https://technet.microsoft.com/en-us/library/dn383581.aspx and
  https://technet.microsoft.com/en-us/library/jj592683.aspx?f=255&MSPPError=-2147217396
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• Windows 2012 answer file and DVD drive letter

  Hi
  my question is about applying unattend XML file into a Wim file. I have read other thread here but still I  can't get it to work. so here is the situation:
  I have installed windows 2012  then I have SYSPREPed it and then I created a WIM file with DISM tool and then I have a very simple answer file. I use DISM to mount the image and then use DISM /apply-unattend to push my answerfile into my WIM file. now
  the issue is, when I load this image into a VM using DISM tool, everything goes fine and when the server comes up for the first time I see the language setting page asking for "Country or region" and "App Language" and "keyboard layout"
  when I hit next , it asks for license agreement and after confirming that one, I can login to windows. How I can hide those 2 windows. my small answer files is :
  <?xml version="1.0" encoding="utf-8"?>
  <unattend xmlns="urn:schemas-microsoft-com:unattend">
      <settings pass="windowsPE">
          <component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
  xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
              <SetupUILanguage>
  <UILanguage>en-US</UILanguage>
                  <WillShowUI>Never</WillShowUI>
              </SetupUILanguage>
              <InputLocale>en-US</InputLocale>
              <SystemLocale>en-US</SystemLocale>
              <UILanguage>en-US</UILanguage>
              <UserLocale>en-US</UserLocale>
          </component>
          <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
              <UserData>
                  <AcceptEula>true</AcceptEula>
              </UserData>
          </component>
      </settings>
      <settings pass="specialize">
          <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
              <TimeZone>Mountain Standard Time</TimeZone>
          </component>
      </settings>
      <settings pass="oobeSystem">
          <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
              <TimeZone>Mountain Standard TIme</TimeZone>
          </component>
      </settings>
      <cpi:offlineImage cpi:source="wim:c:/win2012/install.wim#Windows Server 2012 R2 SERVERSTANDARD" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
  </unattend>
  can somebody please let me know what am I doing wrong? I was assuming after applying unattanded xml file, when I do DISM /apply-image it gonna use my answer file....
  I have one more question as well:
  in 2012, I change DVD drive letter from D to Z and then I sysprep it. in target VM when I load my image, DVD drive is D again.
  I guess when sysprep generalize everything, DVD drive get detected again and windows assign first available letter to it. my second question is : is there any way to make drive letter setting stays the same in target computer?
  Your help is much appreciated!

  Hi,
  Where did you put the answer file? Windows has several places to check the files, you can refer to the following article, notice Implicit Answer File Search Order.
  Windows Setup Automation Overview
  http://technet.microsoft.com/en-in/library/hh824950.aspx
  For DVD drive letter, I think you can assign it via a script with diskpart command:
  Assign, change, or remove a drive letter
  http://technet.microsoft.com/en-in/library/cc757491(v=ws.10).aspx#BKMK_CMD
  Include a Custom Script in a Windows PE Image
  http://technet.microsoft.com/en-us/library/cc766521(v=ws.10).aspx
  Hope this helps.

• Change license to Windows 2012 R2 Essentials and Windows 2012 R2 Standard

  Hi,
  I'm working for a small company (10 users). We have 2 servers; 1 is a normal file server, domain controller etc.; the second is dedicated for running a financial application. We bought and installed new hardware but with so called 'Technet licenses'.
  Obviously we need to buy proper licenses. I have 2 questions :
  1. Am I correct in buying 1 Windows 2012 R2 Essentials license, 1 Windows 2012 R2 Standard license and 10 CALs ?
  2. Can I just install these licenses 'over' the existing 'Technet licenses' ?
  Any help will be greatly appreciated.
  Ronald Ruijtenberg

  I would purchase one Server Standard license, install it as a hypervisor on the server, then add to VMs.  First one is Server with the Essentials role, the second to run your financial application.  You can do this on one physical box and you
  only have to purchase one copy of Server Standard.
  Larry Struckmeyer[MVP] If your question is answered please mark the response as the answer so that others can benefit.

• Windows 2012 storage server and tier with external SSD disks

  Hi
  My query is in case I have one SAN storage with SSD and FC disks connected to Windows 2012 storage server, will Windows be able to manage Tier between two types of disks if the volumes are properly assigned and formated?
  Regards

  Hi
  My query is in case I have one SAN storage with SSD and FC disks connected to Windows 2012 storage server, will Windows be able to manage Tier between two types of disks if the volumes are properly assigned and formated?
  Regards
  Short answer: No, not automatically. Long answer: Yes, it can be done but with some tricks. First you'll have to make your SAN export LUs built from flash and from spindles. At least one of each (see URL below). Then you'll have to build storage spaces (even
  clustered but that's not officially supported for non-SAS disks) from them.
  See:
  Configure Tiering with Windows Server 2012 R2
  http://blogs.technet.com/b/askpfeplat/archive/2013/10/21/storage-spaces-how-to-configure-storage-tiers-with-windows-server-2012-r2.aspx
  Both LUs would have non-SSD type reported so you'll have manually assign types with PowerShell what's flash and what's spindle.
  "Notice that the SSD devices were detected as SSD media.  However, in this case the physical drives show as unknown.  
  If yours are not detected like in this example, they should be set correctly which can be done using PowerShell. "
  Hope this helped :)
  StarWind VSAN [Virtual SAN] clusters Hyper-V without SAS, Fibre Channel, SMB 3.0 or iSCSI, uses Ethernet to mirror internally mounted SATA disks between hosts.

• Windows 2012 R2 replication

  Hi 
  I have got a job about a year ago in an organisation which had 3 windows 2008 R2 servers and lots of problem. I managed to clean up the domain and ended up to migrating all the DCs to Windows 2012 R2. when I run the command repadmin\syncall on any of my
  domain controllers they sync each other with no issue, but when I run the following command:
  repadmin /showvector /latency dc=....,dc=.....  I am getting reports of the previous DCs which are demoted and still are in my active directory database. I know its something related to tombstone but how can I remove them completely from my domian.
  Thanks so much in advance

  Hi Geraldton,
  It seems that we can't remove these entries.
  The following thread focused on the similar question and can be referred to for more information.
  repadmin /showvector /latency dc=goodies,dc=com,dc=sa
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/09b61b9e-b618-4943-963e-de452bdece12/repadmin-showvector-latency-dcgoodiesdccomdcsa
  Best regards,
  Frank Shen

• How do I map a local windows 7 machine to and Azure Share?

  I have 15 physical Windows 7 machines with that I want to access a file share in Windows Azure.  How do I do this?
  daveeeeee

  Hi
  daveeeeee,
  Azure File Share can be access from a Local computer using Rest APIs, whereas, SMB protocol only allows the access of Azure File Share within the same region in Azure.
  You could refer the following link for further details:
  http://blogs.msdn.com/b/windowsazurestorage/archive/2014/05/12/introducing-microsoft-azure-file-service.aspx
  You could use the Rest APIs or AzCopy to
  transfer data to and from Azure File Share.
  Regards,
  Malar.

• Active Directory, Windows 2003 SP2 Server and SMB shares

  I have 10 new iMacs that will be returned and exchanged for 10 HP wintels if I can't resolve an issue with SMB shares in Mac OS X 10.4.9.
  We had an old win 2000 server, and all the macs could mount their smb shares without problems.
  Recently we upgraded to two new 2003 sp2 servers, one of them the domain controller, and we can't mount their SMB shares. I followed this http://weblog.bignerdranch.com/?p=6&page=3 and/or this http://allinthehead.com/retro/218/accessing-a-windows-2003-share-from-os-x to allow AD authentication, but still, I can't mount the 2003 shares (but can with the 2000 ones!!!).
  If I enable SFM (services for macintosh) then I can mount the shares, but:
  1) the network is slower (I supouse is due to appletalk implementation)
  2) and worse, names with more than 32 characters or with some special characters are not allowed. This renders 30% of our archives unavailable with the AFP solution.
  I also used all the authentication methods (Plain text apple, plain text windows, etc.) but no one works.
  I have now 10 days to find a solution, or all "my" macs will dissapear forever.
  Please, some advice or point to documentation.
  G4, G5, iMac Intel, Mac Book Pro, etc   Mac OS X (10.4.9)  

  Do you just want to mount arbitrary share from the win servers or do you want the macs to be bound to AD?
  The first requires the steps from your second link (allinthehead.com) but the latter (bind to AD) requires things like proper use of DNS, time synchronisation for kerberos to work and proper configuration as described in your first link (bignerdranch.com).
  Here are some more links for the latter (AD intergration):
  http://www.bombich.com/mactips/activedir.html
  http://www.afp548.com/article.php?story=20051202151540574&query=ad-od
  HTH
  -Ralph

• Windows 2012 R2 DFSR and backlog for Read only Server

  Hi All
  I have strange situation - i have 2 servers running Win2012R2 with 2 folders replicated by DFSR ( + Deduplication Enabled on both servers). Second Server folders set to ReadOnly. But second server showing high backlog waiting replication to Server1 -
  in the same time Staging Folder is empty. When i'm disabling membership for this server, and enabling back - some time it is showing 0 backlog - all is ok, but then it resumes to show hight backlog again. How i can fix it?
  Best Wishes, Andrew Golubenkoff

  Hi,
  Is there any error message in the Event Log? Since the got the status 5 ( "5: In Error" ), you could try to rebuild the DFSR database to resolve the issue.
  For more detailed information, you could refer to the thread below:
  DFSR - Database Corrupt
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/b69839aa-f050-419c-9344-6b7bf067c318/dfsr-database-corrupt?forum=winserverfiles
  Best Regards,
  Mandy 
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Windows 2012 Domain Controllers and RC4

  We are using Qualysguard as our vulnerability scanner, and we are getting QID 38601, "SSL/TLS use of weak RC4 cipher". While we have created a GPO to disable RC4 on the 2008/2012 servers, we have 4 Domain Controllers that we haven't included in
  the GPO yet. I'm wondering if disabling RC4 on 2012 Domain Controllers will cause problems that I'm not forseeing right now.
  Does someone out there have any knowledge of this through experience or otherwise?
  Thanks in advance.

   
  Hi,
  As far as I know, disable RC4 cipher usage in SSL/TLS wouldn’t affect Kerberos related services on Domain Controller, since Key Distribution Center (KDC) just use the available encryption type to encrypt tickets that requested from our clients with
  RC4_HMAC_NT.
  More information for you:
  Disabling RC4 Cipher KB2868725 relation to Kerberos
  https://social.technet.microsoft.com/Forums/sqlserver/en-US/836eba80-a070-486d-98b2-69b6325cb40e/disabling-rc4-cipher-kb2868725-relation-to-kerberos?forum=winserversecurity
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]