Windows Server 2003 Active Directory Replication Issue

Similar Messages

• Download issue when Windows 7 Pro joins a Windows Server 2008 Active Directory

  Hi,
  I purchased 2 new Dell OptiPlex 3010 desktop computers that came with Windows 7 Professional operating system with SP1. 
  There were no Microsoft updates installed yet.  After I added one of these Dell computers to the Windows Server 2008 Active Directory, I was not able to download several items. 
  Below are several examples:
  1) I downloaded the Norton anti-virus installation file.  This file is not the full installation of Norton; it is more of a file where you execute it and it will download the full installation from the Internet like from their Norton web
  site.  So when I executed this installation file, it does not download the full installation files. 
  It just hung at the screen saying “Downloading” and it will finally stop with an error (don’t remember the error message).
  Note: If I have the full Norton installation file then I am able to install it on this computer with no problems.
  2) I downloaded the Adobe Reader installation file.  This file is not the full installation of Adobe Reader; it is more of a file where you execute it and it will download the full installation from the Internet like from their Adobe web
  site.  So when I executed this installation file, it hung at the downloading part and then it will error out with a “Actionlist Not Found” message.
  Note: If I have the full Adobe Reader installation file then I am able to install it on this computer with no problems.
  3) I installed Microsoft Office 2010 Standard version on this computer. 
  I configured Microsoft Outlook to retrieve emails from my email provider (pop and smtp settings). 
  After configuring Microsoft Outlook, I was able to send emails through Microsoft Outlook successfully (and very quickly), but he was unable to retrieve my emails. The progress bar for the Receiving in the "Outlook Send/Receive Progress" box
  shows no progress. The Progress bar is not moving. There is a message at the bottom of Microsoft Outlook stating "Receiving message 1 of 6 (x.xx KB of x.xx MB)" and it is very slow. My new emails were not being retrieved at all. 
  I tried various pop and smtp servers that was available for my email provider, but all had the same effect.
  4) I can access certain web sites (e.g.
  www.yahoo.com, www.cnn.com) while I cannot access other web sites like
  www.usatoday.com, my web hosting email site.
  Note: I had a Dell computer with Windows XP Professional operating system and this computer does not have any of the above issues.
  The above are only a few examples that I have experienced. 
  If I removed this Dell OptiPlex 3010 computer from the Windows Server 2008 Active Directory then I still experience the same issue.
  So as another test, I setup the other new Dell OptiPlex 3010 with the same Windows 7 Professional OS with SP1. 
  This time, I did not join the Windows Server 2008 Active Directory and I was able to successfully download the full Norton installation files, download the full Adobe Reader installation files, download my emails from Microsoft Outlook 2010, etc. 
  But once I joined this computer to the Windows Server 2008 Active Directory then I am not able to download these files and emails at all.
  It seems like there might be some group policy or a security setting that is preventing these downloads so I disabled the group policy on the Windows Server 2008 AD and Windows 7 Profession OS, but it didn’t resolve the issue.
   I disabled all of the firewall programs on this Windows 7 Professional OS, but it still did not resolve the issue.
  Since the Windows Server 2008 AD did not have DHCP installed, I installed DHCP and setup a scope. 
  Then configured the Windows 7 Professional OS to obtain an IP address, but it didn’t resolve the issue.
  If I move this Windows 7 Professional computer to another network where it did not have any Active Directory; it just had a wireless router serving DHCP then everything works on the Windows 7 Pro computer.
  Any ideas what is the root cause when a Windows 7 Professional computer join a Windows Server 2008 AD?
  Thanks,
  wl_tech

  Hi,
  Could you please tell some information for the AD environment and how it connect to the internet?
  Regarding 3rd party installlers didn't work as expected, please also seek help in their offical website.
  For outlook not receiving emails, could you please take a look in
  Event Viewer and see if there are any special errors logged there?
  And when trying to access the website like
  www.usatoday.com, any special errors IE showed out?
  Best regards
  Michael Shao
  TechNet Community Support

• Upgrade from Windows Server 2012 Active Directory to Windows Server 2012 R2 Active Directory

  We are currently running Windows Server 2012 Active Directory and would like to upgrade to Windows Server 2012 R2 AD. Is it OK to just do an in-place upgrade, or is it advisable to build new domain controllers on R2? Are there any guides or articles anyone
  can recommend?

  Hi Ginandtonic,
  To upgrade DC(Domain Controller) from windows server 2012 to windows server 2012 r2, please refer to these articles:
  Upgrade from windows Server 2012 to 2012 R2                                 
  Upgrade Active Directory from 2012 to 2012 R2
  I hope this helps.
  Best Regards,
  Anna

• Require list of all events for Windows Server 2008 Active Directory

  Hi all,
  I require list of all events for Windows Server 2008 Active Directory. Event Log name for Active Directory log is "Directory Service".
  Regards,
  SR

  Hi,
  Thanks for your posting.
  Do you mean you want to list all Active Directory logs into one file named “Directory Services”?
  If that, it’s hard to achieve. There are kinds of Active Directory logs stored in different locations and they have different file formats. It’s hard
  to collect them into one file.
  Active directory records events in the directory services log in Event Viewer. By default, Active Directory records only critical error events. To instruct Active
  Directory to record other events in the directory services log, we need to modify registry.
  For more information please refer to following MS articles:
  Active Directory Diagnostic Logging
  http://technet.microsoft.com/en-us/library/cc961809.aspx
  How to configure Active Directory diagnostic event log
  http://support.microsoft.com/kb/314980
  Lawrence
  TechNet Community Support

• Active Directory : Replication Issue - "Disconnected" sub-domain from the Forest

  Hello everyone,
  I'm managing a multi-domain forest (with 7 sub-domain).  All are working fine except for one.  Throught repadmin (Repadmin /replsum /bysrc /bydest /sort:delta), I noticed I got both domain controllers of a subdomain (there are only 2 DCs in that
  subdomain), who hadn't replicated with the rest of the forest for more than 60 days.
  According to my research, it's usually recommended to Depromote and repromote the problematic DC to avoid the issue of lingering objects.  In this case, it's both DC of a sub-domain.  Of course, on the others DCs in the forest, I got the event
  ID 2012 "it has been too long since this machine last replicated with the named source machine....". 
   HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
  to a value of 1. 
  As I understand it, this may cause lingering objects to appear (they can be removed with repadmin /removelingeringobjects command with the DSA GUID, naming context, etc..).  So far, I haven't used that registry key yet because of the associated risks.
  I didn't noticed any other issue so far.  Users in the problematic sub-domain are fine, and the problematic sub-domain seems to be able to pull replication data from the others DCs in the forests. (at least, I'm not getting any error in the A.D. Sites
  and Services)
  I added two new DCs for the affected sub-domains, so the number of DCs for that domain went from 2 to 4 DCs.  The two old DCs that hadn't replicated for 60 days are windows Server 2003 and the two new DCs are Server 2008 R2. 
  Unfortunately (and I was half expecting this, but did it anyway since I must eventually replace the old DCs), that didn't solve my issue, since the rest of the forest "doesn't see" the two new DCs of the sub-domain.  By that, I mean that I
  cannot add an Active Directory Domain Services Connection in Sites & Services console (from a DC in another domain of the forest or even the root domain).  I see all the DCs, including the two old DCs that are server 2003, but not the new ones. 
  I believe it's because the others DCs doesn't pull/replicate the information from the old DCs anymore, so they aren't "aware" of the two new DCs for that problematic sub-domain.
  I was wondering what is the best course of action. Is it worthwhilte to use the registry key force replication with the old DCs ?  (and hopefully, the new DCs will get their AD Services connection/replication vector created, so I can depromote
  the old DCs.
  Since the Old DCs from the problematic sub-domain seems to be able to pull the replication from the rest of the forest, does the risk of Lingering object isn't that great ?
  Or is it too risky and I must create a new sub-domain and migrate one way or another the users ? (which would be time-consuming)
  Thanks in advance,
  Adam

  Thanks for the reply.  One of the link had another link to a good article about the use of repadmin :
  So, I ran the command "repadmin /removinglingerobjects " on one of the problematic DCs ().
  For clarity purpose, let's say I used the domain :
  domain = main domain
  subdomain = the domain whose DC are problematic (all of them).
  AnotherSubDomain = Just another subdomain I used as a "reference" DC to cleanup the appropriate partition.
  Command (the DSA guid is from a DC "clean" in another domain)
  repadmin /removelingeringobjects adrec01.mysubdomain.domain.ca C4081E00-921A-480D-9FDE-C4C34F96E7AC dc=ANOTHERsubdomain,dc=domain,dc=ca /advisory_mode
  I got the following message in the event viewer :
  Active Directory Domain Services has completed the verification of lingering objects on the local domain controller in advisory mode. All objects on this domain controller have had their existence verified on the following source domain controller.
  Source domain controller:
  c4081e00-921a-480d-9fde-c4c34f96e7ac._msdcs.mydomain.ca
  Number of objects examined and verified:
  0
  Objects that have been deleted and garbage collected on the source domain controller yet still exist on this domain controller have been listed in past event log entries. To permanently delete the lingering objects, restart this procedure without using the
  advisory mode option.
  How should I interpret the message "number of objects examined and verified 0".  Does it mean it just didn't find any object to compare ? (which would be odd IMHO)  Or there is another problem ?
  Thanks in advance,
  Adam

• Join to Windows Server 2012 Active Directory.

  How to I join Windows Server 2012 Active Diretory without putting manually Windows Server 2012:s ip adress at ?referred DNS server? Can someone help me?

  I'm not sure what you are asking here.  Are you asking how to join another server to a Active Directory domain without having to enter IP information into that other server?  If so, the server joining has to have an IP address and it has to have
  a DNS entry that knows about the Active Directory domain.  Therefore, there are two ways to accomplish this.  First is to assign a fixed IP address and DNS address to the server you are trying to join to the domain.  The second is to have a
  DHCP server in the environment that will assign the IP and DNS.  Alternatively on the second option is to have DHCP assign the IP address and then you manually specify the DNS that knows about the Active Directory domain being joined.
  No matter how you do it, it has to have a valid IP address and DNS entry that knows the location of the AD domain.
  . : | : . : | : . tim

• Snow Leopard and Windows 2003 Active Directory Binding Issues

  Ok I have a new imac 27" with snow leopard (completely patched).
  I am attempting to join it to an active directory domain.
  First the prequel:
  * I have opened full traffic to and from the machine and our domain controllers
  * I have enabled full logging on the firewall and there are no blocked packets
  * I have used wireshark to watch the traffic on the mac and there appear to be no anomalies (packets being sent out but not getting a response, dns requests that aren't answered, etc)
  * I have enabled full KDC logging on the domain controller in question and there are no errors in any of the event logs on either domain controller.
  * The domain admin account in question has Enterprise, Schema and Domain Admin rights
  * I have tried it both with and without an existing computer account and with every conceivable combination of caps and no caps on domain name, user and computer names.
  I am getting the following error at the very end of the process:
  "Unable to add server. Credential operation failed because an invalid parameter was provided (5102)"
  I enabled debugging on Directory Services and will post a log in a reply.
  Anyone have any ideas? I have been banging my head on this for a week with no luck.

  Here is the log with the Active Directory: entries grepped... the full log is far too large to reply to here, if you think you need it let me know and I can email it to you it is 548kb
  obviously machine names, usernames and ip addresses have been munged.
  2011-02-09 12:13:32 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
  2011-02-09 12:13:36 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
  2011-02-09 12:13:41 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
  2011-02-09 12:13:46 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 1 - Searching for Forest/Domain information
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: DomainConfiguration reachabilityNotification - Node: subdomain.domain.tld - resolves - enabled
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 2 - Finding nearest Domain controllers
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 3 - Verifying credentials
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: DomainConfiguration reachabilityNotification - Node: subdomain.domain.tld - resolves - enabled
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: FindSuitableReplica - Node subdomain.domain.tld - Attempting Replica connect to dc3.subdomain.domain.tld.
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: CheckWithSelect - good socket to host dc3.subdomain.domain.tld. from poll and verified LDAP
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: FindSuitableReplica - Node subdomain.domain.tld - Established connection to dc3.subdomain.domain.tld.
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:vyvyIt4
  2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:vyvyIt4
  2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:vyvyIt4 user [email protected]
  2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Processing Site Search with found IP
  2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: No site name available
  2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
  2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
  2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
  2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
  2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
  2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating Mappings from inSchema.........
  2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updated schema for node name subdomain.domain.tld
  2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Configuration naming context = cn=Partitions,CN=Configuration,DC=subdomain,DC=domain,DC=tld
  2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Top domain set as <cn=subdomain,cn=partitions,cn=configuration,dc=subdomain,dc=domain,dc=tld>
  2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating domain hierarchy cache
  2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating policies from domain subdomain.domain.tld
  2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updated policies for node name subdomain.domain.tld
  2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 4 - Searching for existing computer
  2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
  2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
  2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
  2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
  2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
  2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:zXpbfEi
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:zXpbfEi
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:zXpbfEi user [email protected]
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing Computer search for Ethernet address - 10:9a:dd:56:1b:1d
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 4 - no mapping for Ethernet MAC address
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing DN search for account - machinename
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:vyvyIt4 user [email protected]
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:vyvyIt4 user [email protected]
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Closing All Connections
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:zXpbfEi user [email protected]
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:zXpbfEi user [email protected]
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 5 - Bind/Join computer to domain
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:10xG6op
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:10xG6op
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:10xG6op user [email protected]
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Looking for existing Record of machinename
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing DN search for account - machinename
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:10xG6op
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:10xG6op user [email protected]
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: KerberosID Found for account CN=MACHINENAME,CN=Computers,DC=subdomain,DC=domain,DC=tld - MACHINENAME$
  2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Existing record found @ CN=MACHINENAME,CN=Computers,DC=subdomain,DC=domain,DC=tld with [email protected].
  2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Setting Computer Password FAILED for existing record......
  2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Computer password change date is 2011-02-04 18:21:01 -0500
  2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Schtldled computer password change every 1209600 seconds - starting 2011-02-09 12:13:50 -0500
  2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Closing All Connections
  2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
  2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:10xG6op user [email protected]
  2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
  2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:10xG6op user [email protected]
  2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:10xG6op user [email protected]
  2011-02-09 12:13:50 EST - T\[0x00000001026AA000\] - Active Directory: Failed to changed computer password in Active Directory domain
  2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: copyNodeInfo called for /Active Directory
  2011-02-09 12:13:51 EST - T\[0x0000000102481000\] - Active Directory: copyNodeInfo called for /Active Directory
  Message was edited by: aelana

• Windows Server 2008 Active Directory Trust

  Hi ,
  Can anyone help with the answer to the following questions please?
  a) Whether Microsoft Windows Server 2008 SP2 Standard Edition support AD trust relationships (one-way; two-way)
  b) Whether we can create trust between Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 Standard Edition AD servers?
  Thanks in advance.
  India1947

  Hello,
  First of all, please confirm the firewall on the Windows Server 2008, the TCP/IP filter or any 3 party firewall is not blocking the RPC and ICMP traffic between two domain controllers.
  1.    Have a test of creating and verifying trust while all firewalls are all disabled. Then re-create and verify the trust to check how it works.
  Allowing Inbound Network Traffic that Uses Dynamic RPC
  http://207.46.196.114/windowsserver2008/en/library/d37f96c6-c729-4b29-80a9-88db3d97b8631033.mspx
  2.    If it still fails, please try to collect the following information for our further investigation:
  -      Run "Netdiag /v >>netdiag.txt" on both DCs
  -      Network Monitor trace when verifying the trust:
  Download the NetMon3.1 from the following link:
  http://www.microsoft.com/downloads/details.aspx?FamilyID=18b1d59d-f4d8-4213-8d17-2f6dde7d7aac&DisplayLang=en
  1.    Install the NetMon on Windows Server 2008.
  2.    In the Microsoft Network Monitor 3.1 window, click Create a new capture tab….
  3.    In the new tab, select all the Network Adapter in the Select Networks window.
  4.    After that, press F10 to start NetMon.
  5.    In the Active Directory Domains and Trusts, try to verify the trust to reproduce the issue.
  6.    After that, go back to the Netmon window and press F11 to stop the Netmon on the Windows Vista machine.
  7.    Press Ctrl+S to save the Netmon files.
  Please send files to [email protected]
  Note:
  a. Please include the following three lines for this issue in the email body:
  Trust Windows Server 2008 and Windows 2000
  http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3210801&SiteID=17
  Miles Li - MSFT
  b. We will continue to discuss the issue here in the newsgroup and will NOT reply via emails.
  c. Pease post a quick note in the current thread to inform me after sending the email.
  Thanks.
   

• Windows server 2008 Active Directory with PT8.49

  Hi All,
  i m using the follwoing:
  PeopleTools 8.49
  HRMS & Campus Solution 9.0
  i wnat to know is Micrososft Window 2008 Server Active Directory supported with peopletools 8.49
  Regards,
  Irfan

  My favorites are RODCs and AD as a service.  
  Microsoft explains it in detail here:
  http://technet.microsoft.com/en-us/library/cc755093(v=WS.10).aspx

• Windows Server 2003 - File/Directory Inventory and Reporting

  Hi All,
  My company would like to perform an inventory of all user files on all shares in order to perform a clean up rather than buying more disk space for those servers that are starting to run short.  We're looking for something that could be run on each
  server that would look at the following metadata/information:
  Show UNC Path (optional)
  Show Creation Date
  Show Last Modified Date
  Show Owner
  Show who last modified
  Show Size
  Scan to see if the file is duplicated in another place in the filesystem
  Again, the desire is to reduce storage space consumed in order to make more space available without simply going out and adding more storage.  A commercial option isn't out of the question if there is no native tool sets available.  
  I understand that Windows Server 2008 actually has this native, but upgrading these servers to 2008 would also require hardware upgrades which aren't desired or practical at this time.
  Thanks in advance,

  1. Install Powershell if you have not done it yet
  http://support.microsoft.com/kb/968929
  2. Modify appropriate script from Script Center and/or powershell pages/forums
  http://technet.microsoft.com/en-us/scriptcenter/dd742419.aspx
  http://powershell.com
  3. You can form the output into comma separated data file, that you export to Excel.
  HTH
  Milos

• Server 2012 Active Directory replication problems

  Hi.
  I`ve got a forest with 2 sites.
  forest - domain.local
  site a: - everything appears to work fine
  srv-adc1 10.100.100.11 - domain controller - replicating with srv-adc2
  srv-adc2 10.100.100.12 - domain controller - replicating with srv-adc1
  site b: - was offline for more then 180 days
  srv-bdc1 10.200.100.11 - domain controller - not replicating with srv-adc1
  srv-bdc2 10.200.100.12 - demoted domain controller
  each domain controller is also a dns server
  all the servers are microsoft 2012
  site B was offline for more than 180 days, so it exceeded the tombstone`s lifetime.
  i demoted srv-bdc2 and did a metadata cleanup on the rest of the servers.
  i took srv-bdc2 out of the domain and brought it back in.
  when i try and promote it again i get an access denied error.
  when i try and browse to \\domain.local\ from any server in the site B i get a network name error.
  the same thing if i try \\srv-adc1\
  with ip its working just fine.
  i look everywhere in the dns but got nothing.
  anyone has an idea?

  thanks for replying.
  Both of them were down for about a year.
  Should i remove them from the domain, or just demoting them will be good enough?
  will it affect something on siteb?
  srv-adc1 - repadmin /showreps /v
  SITEA\SRV-ADC1
  DSA Options: IS_GC 
  Site Options: (none)
  DSA object GUID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
  DSA invocationID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
  ==== INBOUND NEIGHBORS ======================================
  DC=DOMAIN,DC=LOCAL
      SITEA\SRV-ADC2 via RPC
          DSA object GUID: 89c75ba3-3796-4151-aa63-51916a24130c
          Address: 89c75ba3-3796-4151-aa63-51916a24130c._msdcs.DOMAIN.LOCAL
          DSA invocationID: ac8680bf-c70c-4fd5-aab1-5ceeba7645a6
          SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
          USNs: 1423024/OU, 1423024/PU
          Last attempt @ 2014-06-27 09:17:58 was successful.
      SITEB\SRV-BDC1 via RPC
          DSA object GUID: 465bca1d-a4e5-4925-9e11-0dc98cf8f176
          Address: 465bca1d-a4e5-4925-9e11-0dc98cf8f176._msdcs.DOMAIN.LOCAL
          DSA invocationID: 750894b2-365d-4241-8eab-0fd058f8e0ea
          SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS
          USNs: 689527/OU, 689527/PU
          Last attempt @ 2014-06-27 09:17:58 was successful.
  CN=Configuration,DC=DOMAIN,DC=LOCAL
      SITEA\SRV-ADC2 via RPC
          DSA object GUID: 89c75ba3-3796-4151-aa63-51916a24130c
          Address: 89c75ba3-3796-4151-aa63-51916a24130c._msdcs.DOMAIN.LOCAL
          DSA invocationID: ac8680bf-c70c-4fd5-aab1-5ceeba7645a6
          SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
          USNs: 1422941/OU, 1422941/PU
          Last attempt @ 2014-06-27 09:17:58 was successful.
      SITEB\SRV-BDC1 via RPC
          DSA object GUID: 465bca1d-a4e5-4925-9e11-0dc98cf8f176
          Address: 465bca1d-a4e5-4925-9e11-0dc98cf8f176._msdcs.DOMAIN.LOCAL
          DSA invocationID: 750894b2-365d-4241-8eab-0fd058f8e0ea
          SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS
          USNs: 689527/OU, 689527/PU
          Last attempt @ 2014-06-27 09:17:58 was successful.
  CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
      SITEA\SRV-ADC2 via RPC
          DSA object GUID: 89c75ba3-3796-4151-aa63-51916a24130c
          Address: 89c75ba3-3796-4151-aa63-51916a24130c._msdcs.DOMAIN.LOCAL
          DSA invocationID: ac8680bf-c70c-4fd5-aab1-5ceeba7645a6
          SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
          USNs: 1422941/OU, 1422941/PU
          Last attempt @ 2014-06-27 09:17:58 was successful.
      SITEB\SRV-BDC1 via RPC
          DSA object GUID: 465bca1d-a4e5-4925-9e11-0dc98cf8f176
          Address: 465bca1d-a4e5-4925-9e11-0dc98cf8f176._msdcs.DOMAIN.LOCAL
          DSA invocationID: 750894b2-365d-4241-8eab-0fd058f8e0ea
          SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS
          USNs: 689527/OU, 689527/PU
          Last attempt @ 2014-06-27 09:17:58 was successful.
  DC=DomainDnsZones,DC=DOMAIN,DC=LOCAL
      SITEA\SRV-ADC2 via RPC
          DSA object GUID: 89c75ba3-3796-4151-aa63-51916a24130c
          Address: 89c75ba3-3796-4151-aa63-51916a24130c._msdcs.DOMAIN.LOCAL
          DSA invocationID: ac8680bf-c70c-4fd5-aab1-5ceeba7645a6
          SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
          USNs: 1422941/OU, 1422941/PU
          Last attempt @ 2014-06-27 09:17:58 was successful.
      SITEB\SRV-BDC1 via RPC
          DSA object GUID: 465bca1d-a4e5-4925-9e11-0dc98cf8f176
          Address: 465bca1d-a4e5-4925-9e11-0dc98cf8f176._msdcs.DOMAIN.LOCAL
          DSA invocationID: 750894b2-365d-4241-8eab-0fd058f8e0ea
          SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS
          USNs: 689527/OU, 689527/PU
          Last attempt @ 2014-06-27 09:17:58 was successful.
  DC=ForestDnsZones,DC=DOMAIN,DC=LOCAL
      SITEA\SRV-ADC2 via RPC
          DSA object GUID: 89c75ba3-3796-4151-aa63-51916a24130c
          Address: 89c75ba3-3796-4151-aa63-51916a24130c._msdcs.DOMAIN.LOCAL
          DSA invocationID: ac8680bf-c70c-4fd5-aab1-5ceeba7645a6
          SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
          USNs: 1422941/OU, 1422941/PU
          Last attempt @ 2014-06-27 09:17:58 was successful.
      SITEB\SRV-BDC1 via RPC
          DSA object GUID: 465bca1d-a4e5-4925-9e11-0dc98cf8f176
          Address: 465bca1d-a4e5-4925-9e11-0dc98cf8f176._msdcs.DOMAIN.LOCAL
          DSA invocationID: 750894b2-365d-4241-8eab-0fd058f8e0ea
          SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS
          USNs: 689527/OU, 689527/PU
          Last attempt @ 2014-06-27 09:17:58 was successful.
  srv-adc2 - repadmin /showreps /v
  SITEA\SRV-ADC2
  DSA Options: IS_GC 
  Site Options: (none)
  DSA object GUID: 89c75ba3-3796-4151-aa63-51916a24130c
  DSA invocationID: ac8680bf-c70c-4fd5-aab1-5ceeba7645a6
  ==== INBOUND NEIGHBORS ======================================
  DC=DOMAIN,DC=LOCAL
      SITEA\SRV-ADC1 via RPC
          DSA object GUID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
          Address: 6cc683ff-09ac-4aec-9e57-727141ed2c18._msdcs.DOMAIN.LOCAL
          DSA invocationID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
          SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
          USNs: 4872366/OU, 4872366/PU
          Last attempt @ 2014-06-27 09:30:12 was successful.
  CN=Configuration,DC=DOMAIN,DC=LOCAL
      SITEA\SRV-ADC1 via RPC
          DSA object GUID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
          Address: 6cc683ff-09ac-4aec-9e57-727141ed2c18._msdcs.DOMAIN.LOCAL
          DSA invocationID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
          SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
          USNs: 4872349/OU, 4872349/PU
          Last attempt @ 2014-06-27 09:23:18 was successful.
  CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
      SITEA\SRV-ADC1 via RPC
          DSA object GUID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
          Address: 6cc683ff-09ac-4aec-9e57-727141ed2c18._msdcs.DOMAIN.LOCAL
          DSA invocationID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
          SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
          USNs: 4872278/OU, 4872278/PU
          Last attempt @ 2014-06-27 09:22:40 was successful.
  DC=DomainDnsZones,DC=DOMAIN,DC=LOCAL
      SITEA\SRV-ADC1 via RPC
          DSA object GUID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
          Address: 6cc683ff-09ac-4aec-9e57-727141ed2c18._msdcs.DOMAIN.LOCAL
          DSA invocationID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
          SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
          USNs: 4872278/OU, 4872278/PU
          Last attempt @ 2014-06-27 09:22:40 was successful.
  DC=ForestDnsZones,DC=DOMAIN,DC=LOCAL
      SITEA\SRV-ADC1 via RPC
          DSA object GUID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
          Address: 6cc683ff-09ac-4aec-9e57-727141ed2c18._msdcs.DOMAIN.LOCAL
          DSA invocationID: 6cc683ff-09ac-4aec-9e57-727141ed2c18
          SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
          USNs: 4872278/OU, 4872278/PU
          Last attempt @ 2014-06-27 09:22:40 was successful.
  srv-bdc1 - repadmin /showreps /v
  SITEB\SRV-BDC1
  DSA Options: IS_GC 
  Site Options: (none)
  DSA object GUID: 465bca1d-a4e5-4925-9e11-0dc98cf8f176
  DSA invocationID: 750894b2-365d-4241-8eab-0fd058f8e0ea
  Source: SITEA\SRV-ADC1
  ******* 102 CONSECUTIVE FAILURES since 2014-06-26 08:42:30
  Last error: -2146893022 (0x80090322):
              The target principal name is incorrect.
  Naming Context: DC=ForestDnsZones,DC=DOMAIN,DC=LOCAL
  Source: SITEA\SRV-ADC1
  ******* WARNING: KCC could not add this REPLICA LINK due to error.
  Naming Context: DC=DomainDnsZones,DC=DOMAIN,DC=LOCAL
  Source: SITEA\SRV-ADC1
  ******* WARNING: KCC could not add this REPLICA LINK due to error.
  Naming Context: DC=DOMAIN,DC=LOCAL
  Source: SITEA\SRV-ADC1
  ******* WARNING: KCC could not add this REPLICA LINK due to error.
  Naming Context: CN=Configuration,DC=DOMAIN,DC=LOCAL
  Source: SITEA\SRV-ADC1
  ******* WARNING: KCC could not add this REPLICA LINK due to error.
  Source: SITEA\SRV-ADC2
  ******* 73 CONSECUTIVE FAILURES since 2014-06-26 15:24:28
  Last error: -2146893022 (0x80090322):
              The target principal name is incorrect.
  Naming Context: DC=ForestDnsZones,DC=DOMAIN,DC=LOCAL
  Source: SITEA\SRV-ADC2
  ******* WARNING: KCC could not add this REPLICA LINK due to error.
  Naming Context: DC=DomainDnsZones,DC=DOMAIN,DC=LOCAL
  Source: SITEA\SRV-ADC2
  ******* WARNING: KCC could not add this REPLICA LINK due to error.
  Naming Context: DC=DOMAIN,DC=LOCAL
  Source: SITEA\SRV-ADC2
  ******* WARNING: KCC could not add this REPLICA LINK due to error.
  Naming Context: CN=Configuration,DC=DOMAIN,DC=LOCAL
  Source: SITEA\SRV-ADC2
  ******* WARNING: KCC could not add this REPLICA LINK due to error.

• Os x server loses active directory binding

  I am running an open directory/active directory network.  Authentication is from the Windows server 2003 active directory.  It has worked fine until the last month. Now clients stop authenticating & when I  check the AD plugin it says network accounts are not available.  I can force the server to unbind, then renew the binding & everything works great.
  Is there any work around or fix for this other than upgrading the windows server to 2008?
  Thanks

  Yes.  You are likely experiencing one of two common issues.  1:  You time skew is too large (although an unbind/bind will not solve this) or 2: you are failing to properly set the random machine password.
  Try this command on the server:
  sudo dsconfigad -passinterval 0
  Then:
  sudo dsconfigad -show
  to confirm the setting.  This will prevent the machine from refeshing its machine password with the domain every 14 days (default setting).  The issue is that Apple's plugin does not properly catch an exception.  What happens is the plugin detects that it should re-randomize the machine password so it creates a new one, records it to the config file, and THEN tries to write it to the domain.  When the write to the domain fails, the system then sends the new password already recorded in the config file and now they mismatch.  This is a common AD integration issue and is likely associated with your binding rights in AD.
  As for time, make sure you are pointing all your Macs to the DC for time info or to a mutually agreed upon external server.
  Hope this helps.  Easy to fix.

• Directory Security Strange Permissions Issues (Windows Server 2003 running Active Directory)

  I have a user that all of a sudden was not able to open 70% of her files located on a file server, Windows Server 2003 running Active Directory, from her laptop. The same user can access all the same files from a different machine, logging on with the same
  credentials. Just looking for a point in the right direction and a possible theory as what could cause this problem, an why all of a sudden. I did go back through the logs but nothing sticks out. For the most part the logs on the server and the laptop are
  pretty clean. 
  Both machines are Latitude E5420s running Windows 7 Enterprise Service Pack 1. Both machines are 64bit and connect to the network via hard-wire, not wireless.
  Thanks in advanced.
  Grajek

  I would recommend proceeding that way:
  Check that your DCs are in a healthy state and AD replication is fine: It might be that the user is member of security groups and the membership is not getting replicated properly which can cause this random behavior. You can use
  dcdiag and repadmin for checks and you can refer to my recommendations here: http://social.technet.microsoft.com/wiki/contents/articles/18513.active-directory-replication-issues-basic-troubleshooting-steps-single-ad-domain-in-a-single-ad-forest.aspx
  Make  sure that the file server is reachable from the user client computer. Start with
  ping and nslookup. Also, you need to make sure that the traffic between the client and the server is not blocked or filtered. You might want to temporary disable security software for testing
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Windows Server 2003 DC / ADC Domain Join Problem

  Hi,
  I have Windows Server 2003 DC configured. It is Catalog Server and it holds all the fsmo roles .Also DNS Server too.
  Now I created an additional domain Controller (ADC) _ dns server + i made it a global catalog server too,
  The problem is when i shutdown my dc, I am not able to join client machines to the domain.
  It says " The domain controller could not be contacted"
  DNS Successful queried srv records..
  the following domain controllers were found:
  In the client pc , i have set up dns of dc and alternate dns of adc.
  Why is this problem occurring?
  Samvit

  It says " The domain controller could not be contacted"
  This is a DNS resolution problem.
  Please make sure that each of your DCs is:
  Pointing to the other one as primary DNS server
  Points to its private IP address as secondary one
  Points to 127.0.0.1 as third DNS server
  Once done, restart netlogon service and run ipconfig /registerdns. For client computers, you need to make sure that they point to both DCs as primary and secondary DNS servers. As for the public DNS servers, they need to be configured on
  your DCs as forwarders.
  More details about recommendations for DCs IP settings here: http://social.technet.microsoft.com/wiki/contents/articles/18513.active-directory-replication-issues-basic-troubleshooting-steps-single-ad-domain-in-a-single-ad-forest.aspx
  If this does not help the please check that there is no filtering between DCs and clients with DCs.
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• Upgrading windows server 2003 domain controller to windows server 2008

  Hello friedns :
  We have a company with about 2000 users , and two windows server 2003 domain controllers , one of them acts as a primary domain controller , and the other acts as secondary domain controller , all the FSMO s are on the primary DC ,we have decided to upgrade all of our servers from windows server 2003 to windows server 2008 , the first step is to upgrade the domain controllers to windows server 2008 , our domain controllers are so sensitive and has to be active 24 hours a day , i have stress upgrading it to windows server 2008 , what is the best solution to upgrade it with no risk ?
  ( i have an opinion but i am not sure and i dont have any guide about it , i want to install a windows server 2008 and promote it as an additional domain controller to the windows server 2003 DC and the transfer all the FSMOs to it , and then promote the first domain controller !!! is that possible ? if yes , is there any guide about it? )
  If there is a guide available for it please let me know . (Specially if there is a tip & trick)
  thank you guys.
  Network is my LOVE

  Hi,
  This TechNet online article might be helpful for you.
  How to Upgrade Domain Controllers to Windows Server 2008 or Windows Server 2008 R2
  http://technet.microsoft.com/en-us/library/ee522994(WS.10).aspx
  For your convenience, I have list some general steps for your reference.
  Since the following operation have potential damage to Active Directory database, it is highly suggested that you'd better perform a full backup of Active Directory (System State) firstly. Also it is better to test the following procedure in a similar lab environment first.
  General Steps:
  =============
  1. Verify the new server's TCP/IP configuration has been pointed to the current DNS server.
  2. Make the new server become a member server of the current Windows Server 2003 domain first.
  3. Upgrade the Windows Server 2003 forest schema to Windows Server 2008 schema with the "adprep /forestprep" command on old server.
  Please run the "adprep.exe /forestprep" command from the Windows Server 2008 installation disk on the schema master. To do this, insert the Windows Server 2008 installation disk, and then type the following command:
  Drive:\sources\ADPREP\adprep.exe /forestprep
  4. Upgrade the Windows 2003 domain schema with the "adprep /domainprep" command on old server.
  Please run the "adprep.exe /domainprep" command from the Windows Server 2008 installation disk on the infrastructure master. To do this, insert the Windows Server 2008 installation disk, and then type the following command:
  Drive:\sources\ADPREP \adprep.exe /domainprep
  5. Insert Windows Server 2008 Installation Disc in the new server.
  6. Run "dcpromo" on new server to promote it as an additional domain controller in existing Windows 2003 domain, afterwards you may verify the installation of Active Directory.
  Please refer to:
  How to Verify an Active Directory Installation in Windows Server 2003
  http://support.microsoft.com/kb/816106
  7. Verify the new server's TCP/IP configuration has been pointed to current DNS server.
  8. Enable Global Catalog on new server and manually Check Replication Topology and afterwards manually trigger replication (Replicate Now) to synchronize Active Directory database between 2 replicas.
  Please note: It will some time to replicate GC between DC, please wait some time with patience.
  9. Disable Global Catalog on the old DC.
  10. Transfer all the FSMO roles from the old DC to the new DC.
  Please refer to:
  How to view and transfer FSMO roles in Windows Server 2003
  http://support.microsoft.com/kb/324801
  11. Verify that the old DNS Server Zone type is Active Directory-Integrated. If not, please refer to:
  How To: Convert DNS Primary Server to Active Directory Integrated
  http://support.microsoft.com/kb/816101
  Note: Active Directory Integrated-Zone is available only if DNS server is a domain controller.
  12. Install DNS component on new server and configure it as a new DNS Server (Active Directory Integrated-Zone is preferred). All the DNS configuration should be replicated to the new DNS server with Active Directory Replication.
  13. Make all the clients change TCP/IP configuration to point to new server as DNS.
  14. You may configure TCP/IP on all the clients, or adjust DHCP scope settings to make them use the new DNS server.
  Please note: It is a good practice to make the old DC offline for several days and check whether everything works normally with the new server online. If so, you may let the old DC online and run DCPROMO to demote it.
  Hope it helps.
  Regards,
  Wilson Jia
  This posting is provided "AS IS" with no warranties, and confers no rights.