Windows Server 2008 R2 Domain Controller NOT logging EventID 4740

EventID 4740 (account lockout) is not being logged to the event viewer. When searching through the security log there are none to be found. Having accounts locked out and no logging is driving me nuts. Hope someone has run into this before. This is what
i have checked thus far.
>Windows Server 2008 R2 Domain Controller
>Verified the following GPO settings are set and correct:
>Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\ all are set for Success & Failure
>Computer Configuration\Windows Settings\Security Settings\Advanced Audit Configuration\Logon/Logoff) is set for Success and Failure
>Powershell command Get-Eventlog -log Security -InstanceId 4740 returns no results which makes sense since there are no entries in the security log file.
>No 4740 entries in the netlogon.log debug file
AD and the LockoutStatus tool show the account is locked out but i still have nothing in the logs.
Anyone have any ideas? From everything i can find online , it appears i have everything set properly.
Thanks, Chico

Hi Chico,
I suggest you try to enable this group policy below:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management
More information for you:
Missing 4740 EventID's
http://social.technet.microsoft.com/Forums/windowsserver/en-US/c9871d72-7439-46b5-98e6-a7fadfa6ff28/missing-4740-eventids?forum=winserversecurity
If you have multiple Domain Controllers, check this event on other DCs, too.
Please feel free to let us know if there are any further requirements.
Best Regards,
Amy Wang

Similar Messages

Cannot generate Account Logon Events (Event ID 4624) in Security Event Log on Server 2008 R2 Domain Controller

I have configured the Default Domain Controller's policy to log SUCCESS for Account Logon Events in the Server 2008 R2 Domain Controller, but these events are not logging in the Security Event log.
Default Domain Controllers Policy
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policies/Audit Account Logon Events = Success.
What tools can I use to troubleshoot this further? The results of "Auditpol.exe /get /category:*" are below.
System audit policy
Category/Subcategory                      Setting
System
Security System Extension               No Auditing
System Integrity                        No Auditing
IPsec Driver                            No Auditing
Other System Events                     No Auditing
Security State Change                   No Auditing
Logon/Logoff
Logon                                   No Auditing
Logoff                                  No Auditing
Account Lockout                         No Auditing
IPsec Main Mode                         No Auditing
IPsec Quick Mode                        No Auditing
IPsec Extended Mode                     No Auditing
Special Logon                           No Auditing
Other Logon/Logoff Events               No Auditing
Network Policy Server                   No Auditing
Object Access
File System                             No Auditing
Registry                                No Auditing
Kernel Object                           No Auditing
SAM                                     No Auditing
Certification Services                  No Auditing
Application Generated                   No Auditing
Handle Manipulation                     No Auditing
File Share                              No Auditing
Filtering Platform Packet Drop          No Auditing
Filtering Platform Connection           No Auditing
Other Object Access Events              No Auditing
Detailed File Share                     No Auditing
Privilege Use
Sensitive Privilege Use                 No Auditing
Non Sensitive Privilege Use             No Auditing
Other Privilege Use Events              No Auditing
Detailed Tracking
Process Termination                     No Auditing
DPAPI Activity                          No Auditing
RPC Events                              No Auditing
Process Creation                        No Auditing
Policy Change
Audit Policy Change                     No Auditing
Authentication Policy Change            No Auditing
Authorization Policy Change             No Auditing
MPSSVC Rule-Level Policy Change         No Auditing
Filtering Platform Policy Change        No Auditing
Other Policy Change Events              No Auditing
Account Management
User Account Management                 No Auditing
Computer Account Management             No Auditing
Security Group Management               No Auditing
Distribution Group Management           No Auditing
Application Group Management            No Auditing
Other Account Management Events         No Auditing
DS Access
Directory Service Changes               No Auditing
Directory Service Replication           No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access                No Auditing
Account Logon
Kerberos Service Ticket Operations      No Auditing
Other Account Logon Events              No Auditing
Kerberos Authentication Service         No Auditing
Credential Validation                   Success

Hi Lawrence,
After configuring the GPO, did we run command gpupdate/force to update the policy immediately on domain controller? Besides, please run command gpresult/h c:\gpreport.html to check if the audit policy
setting was applied successfully.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen

Group Chat feature in Office Communications Server 2007 R2 does not work in Windows Server 2008 R2 domains

   Hello to all, there are two confliting articles about this topic:
   1-
http://technet.microsoft.com/en-us/library/upgrade-domain-controllers-to-windows-server-2008-r2(v=ws.10).aspx#BKMK_Whatsnew : this one says that it does not work "The Group Chat feature in Office Communications Server 2007 R2 does not work in Windows
Server 2008 R2 domains". This article was updated in 2013.
   2-
http://technet.microsoft.com/en-us/library/ee692314(office.13).aspx: this other article says that it will function "Office Communications Server 2007 R2 Group Chat will function in a Windows Server 2008 R2 forest". This article was updated in
2010 and was refered by the first one.
   What is the correct support position for Group Chat feature in Office Communications Server 2007 R2 and Windows Server 2008 R2 domains?
   Regards, EEOC.

Hi,
I notice the following sentence in the link below “Office Communications Server 2007 R2, Group Chat will not function in a Windows Server 2008 R2 forest or when Group Chat member servers are joined to a Windows Server 2008 R2 domain.
We know of an issue with changes in Windows 2008 R2 that requires a Group Chat Client and Group Chat Admin Tools hotfix. The Group Chat Client and Group Chat Admin Tools hotfixes are currently scheduled for mid-April 2010.”
http://blogs.technet.com/b/nexthop/archive/2010/11/06/supportability-for-office-communications-server-2007-r2-and-windows-server-2008-r2.aspx
So in my opinion, if you update to the latest version of Windows Server 2008 R2, OCS Server 2007 R2 and Group Chat Client, Group Chat Admin Tools to the latest version, it should work.
However, the best method for you is make a lab to test the problem firstly.
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support

Add Windows Server 2012 R2 domain controller to Windows 2008 R2 domain

Hi,
Have today 2 x Windows Server 2008 R2 domain controllers, and domain and functional level 2008 R2.
We now want to replace these DC`s with Windows Server 2012 R2.
My plan is as follow
- Install and promote a Windows Server 2012 R2 as a 3 DC`s with a temporary hostname and IP as DC3
- Install and promote a second Windows Server 2012 R2 as a 4 DC`s with a temporary hostname and IP as DC4
- Decomiss DC1 and remove this host. Change the IP and hostname of the new DC3 to DC1
- Move FSMO roles from DC2 to DC1 and decomiss DC2
- Change the IP and hostname of the new DC4 to DC2
Will this be a ok progress ? I will offcours to have the DC`s replicate information between them before doing each task.
/Regards Andreas

Hi,
Only error i got running dcdiag was the following
Starting test: NCSecDesc
    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
       Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=ForestDnsZones,DC=domain,DC=local
    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
       Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=DomainDnsZones,DC=domain,DC=local
    ......................... DC1 failed test NCSecDesc
Is this a problem ?
I would guess not since im not implementing a RODC ? Ref:
https://support.microsoft.com/en-us/kb/967482?wa=wsignin1.0
You can ignore it.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile

Windows 7 or Windows Server 2008 R2 domain join displays error "Changing the Primary Domain DNS name of this computer to "" failed...."

Hi,
Windows 7 or Windows Server 2008 R2 domain join displays error "Changing the Primary Domain DNS name of this computer to "" failed...."
DC:windows Server 2008 R2
Domain functional level:Windows Server 2003
When Winxp join domain, have no this error message.
I checked http://support.microsoft.com/kb/2018583?wa=wsignin1.0 does't work.
There have 3 suggestion in this article:
1.The "Disable NetBIOS over TCP/IP" checkbox has been disabled in the IPv4 properties of the computer being joined.
Doesnt's work.
2.Connectivity over UDP port 137 is blocked between client and the helper DC servicing the join operation in the target domain.
On my DC, I run netstat -an, reslut as below:
UDP 192.168.20.3:137 *:*
3.The TCP/IPv4 protocol has been disabled so that the client being joined or the DC in the destination domain targeted by the LDAP BIND is running TCP/IPv6 only.
We are not using IPV6.
This server recently updated from Windows Server 2003 to Windows Server 2008 R2. Before upgrade, when Win7 and Win2008 join this domain, also have the same error message.
Please help to check this issue.
Thank you very much.
BR
Guo YingHui

Hi Guo Ying,
I have faced this critical error which makes over-writes the host names in the domain when you join.
For example: Already you had a host name called as PC.domain.com in the domain.com Domain.
When you try to add the another host name called as PC in the domain.com Domain, it doesn't give you the duplicate name error on the network it does over-write the existing host name called as PC.domain.com & it will add the new host name into the domain.
Host name which got over-written will get removed from the domain. I faced this issue in my project. My DPM host name got removed from the Domain & new host name got joined into the domain which halted my backups for one day.
Final Resolution is as follows:
You need to start the dns console on the DC & drop down the domain name.
Select the _msdcs when you click on _msdcs it will show the Name Server's list on the right hand side.
You need to add the Domain Naming Master under the _msdcs or add all the domain controllers which you had.
After you add the Name server's try joining the PC OR Laptop to the domain which is successfully joins it.
Regards
Anand S
Thanks & Regards Anand Sunka MCSA+CCNA+MCTS

Exchange 2007 RTM support with Windows Server 2012 R2 Domain Controller

Hi All,
I have not found any TechNet Article which states about the Windows Server 2012 R2 Active Directory domain controller operating system support with Exchange 2007 RTM, can some one please let me know that does Exchange 2007 RTM supports Windows Server 2012
R2 domain controller operating system, we are in the process of upgrading the domain controllers to 2012 R2 but not the forest and domain functional level to 2012 R2.
thanks
If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

There are several likely reasons for this. The most significant is that Exchange 2007 RTM is no longer supported (outside ot extended support, which is not going to include adding support for new operating systems):
http://support2.microsoft.com/lifecycle/default.aspx?LN=en-us&p1=10926
You'll note from the following -
http://technet.microsoft.com/library/ff728623(v=exchg.150).aspx - that only Exchange 2007 SP3 is currently supported in any environment.
HTH ...

Biztalk 2013 R2 with Windows Server 2003 R2 Domain Controller

Hello, I have a client right who has a Windows Server 2003 R2 domain controller with active directory installed. Is there any reason why I can't install Biztalk 2013 on a Windows Server 2012 R2 box and add it to that farm to use active directory?
Thanks in advance,
-Adam

BizTalk Server is only going to use the User Groups created in Domain Controller so ideally i don't think there will be any compatibility issue. Also there isn't any microsoft article which talks about BizTalk compatibility with respect to domain controller.
You will have to create all the Windows Groups and User Accounts in AD, before BizTalk Server configuration.
Windows Groups and User Accounts in BizTalk Server
Thanks,
Prashant
Please mark this post accordingly if it answers your query or is helpful.

Windows Server 2008 R2 - You might not have permission to use this network resource. The request is not supported.

Hello !
I have a server with Windows Server 2008 R2 (AD, File Server, DNS Server and DHCP Server) that not access network share other Domain Controller.
Well, is very crazy.
I view network shares by network computers and devices,
but not \\domain_controller or \\IP_domain_controller.
I execute ping for succeed for all servers.
Follow error bellow:

irectory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine SRVMTZDC01, is a Directory Server.
Home Server = SRVMTZDC01
* Connecting to directory service on server SRVMTZDC01.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=shcorp,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=SAO,CN=Sites,CN=Configuration,DC=shcorp,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=shcorp,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=CWB,CN=Sites,CN=Configuration,DC=shcorp,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=POA,CN=Sites,CN=Configuration,DC=shcorp,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=RIO,CN=Sites,CN=Configuration,DC=shcorp,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=VIX,CN=Sites,CN=Configuration,DC=shcorp,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=SSA,CN=Sites,CN=Configuration,DC=shcorp,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=FOR,CN=Sites,CN=Configuration,DC=shcorp,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=BHZ,CN=Sites,CN=Configuration,DC=shcorp,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=BSB,CN=Sites,CN=Configuration,DC=shcorp,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=RCF,CN=Sites,CN=Configuration,DC=shcorp,DC=local
Getting ISTG and options for the site
Looking at base site object: CN=NTDS Site Settings,CN=BEL,CN=Sites,CN=Configuration,DC=shcorp,DC=local
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=shcorp,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=SRVDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=shcorp,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=SRVDC05,CN=Servers,CN=SAO,CN=Sites,CN=Configuration,DC=shcorp,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=SRVDC06,CN=Servers,CN=CWB,CN=Sites,CN=Configuration,DC=shcorp,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=SRVDC13,CN=Servers,CN=POA,CN=Sites,CN=Configuration,DC=shcorp,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=SRVDC07,CN=Servers,CN=RIO,CN=Sites,CN=Configuration,DC=shcorp,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=SRVDC08,CN=Servers,CN=VIX,CN=Sites,CN=Configuration,DC=shcorp,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=SRVDC09,CN=Servers,CN=SSA,CN=Sites,CN=Configuration,DC=shcorp,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=SRVDC12,CN=Servers,CN=FOR,CN=Sites,CN=Configuration,DC=shcorp,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=SRVDC04,CN=Servers,CN=BHZ,CN=Sites,CN=Configuration,DC=shcorp,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=SRVDC10,CN=Servers,CN=BSB,CN=Sites,CN=Configuration,DC=shcorp,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=SRVMTZDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=shcorp,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=SRVRCFDC11,CN=Servers,CN=RCF,CN=Sites,CN=Configuration,DC=shcorp,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 12 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SRVMTZDC01
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... SRVMTZDC01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SRVMTZDC01
Starting test: Advertising
The DC SRVMTZDC01 is advertising itself as a DC and having a DS.
The DC SRVMTZDC01 is advertising as an LDAP server
The DC SRVMTZDC01 is advertising as having a writeable directory
The DC SRVMTZDC01 is advertising as a Key Distribution Center
Warning: SRVMTZDC01 is not advertising as a time server.
The DS SRVMTZDC01 is advertising as a GC.
......................... SRVMTZDC01 failed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
......................... SRVMTZDC01 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
Skip the test because the server is running FRS.
......................... SRVMTZDC01 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... SRVMTZDC01 passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... SRVMTZDC01 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=SRVDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=shcorp,DC=local
Role Domain Owner = CN=NTDS Settings,CN=SRVDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=shcorp,DC=local
Role PDC Owner = CN=NTDS Settings,CN=SRVDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=shcorp,DC=local
Role Rid Owner = CN=NTDS Settings,CN=SRVDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=shcorp,DC=local
Role Infrastructure Update Owner = CN=NTDS Settings,CN=SRVDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=shcorp,DC=local
......................... SRVMTZDC01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC SRVMTZDC01 on DC SRVMTZDC01.
* SPN found :LDAP/SRVMTZDC01.shcorp.local/shcorp.local
* SPN found :LDAP/SRVMTZDC01.shcorp.local
* SPN found :LDAP/SRVMTZDC01
* SPN found :LDAP/SRVMTZDC01.shcorp.local/SHCORP
* SPN found :LDAP/9956d321-332f-482c-855c-8bceee885bb6._msdcs.shcorp.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/9956d321-332f-482c-855c-8bceee885bb6/shcorp.local
* SPN found :HOST/SRVMTZDC01.shcorp.local/shcorp.local
* SPN found :HOST/SRVMTZDC01.shcorp.local
* SPN found :HOST/SRVMTZDC01
* SPN found :HOST/SRVMTZDC01.shcorp.local/SHCORP
* SPN found :GC/SRVMTZDC01.shcorp.local/shcorp.local
......................... SRVMTZDC01 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC SRVMTZDC01.
* Security Permissions Check for
DC=ForestDnsZones,DC=shcorp,DC=local
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=shcorp,DC=local
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=shcorp,DC=local
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=shcorp,DC=local
(Configuration,Version 3)
* Security Permissions Check for
DC=shcorp,DC=local
(Domain,Version 3)
......................... SRVMTZDC01 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\SRVMTZDC01\netlogon
Verified share \\SRVMTZDC01\sysvol
......................... SRVMTZDC01 passed test NetLogons
Starting test: ObjectsReplicated
SRVMTZDC01 is in domain DC=shcorp,DC=local
Checking for CN=SRVMTZDC01,OU=Domain Controllers,DC=shcorp,DC=local in domain DC=shcorp,DC=local on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=SRVMTZDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=shcorp,DC=local in domain CN=Configuration,DC=shcorp,DC=local on 1 servers
Object is up-to-date on all servers.
......................... SRVMTZDC01 passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=shcorp,DC=local
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=shcorp,DC=local
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=shcorp,DC=local
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=shcorp,DC=local
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=shcorp,DC=local
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... SRVMTZDC01 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 14100 to 1073741823
* SRVDC01.shcorp.local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 11600 to 12099
* rIDPreviousAllocationPool is 11600 to 12099
* rIDNextRID: 11737
......................... SRVMTZDC01 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... SRVMTZDC01 passed test Services
Starting test: SystemLog
* The System Event log test
An error event occurred. EventID: 0x00000422
Time Generated: 05/02/2014 12:55:01
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\shcorp.local\SysVol\shcorp.local\Policies\{1A69D491-B88A-4F66-B294-4ABEC8C62886}\gpt.ini from a domain controller and was not successful. Group
Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
An error event occurred. EventID: 0x00000422
Time Generated: 05/02/2014 13:11:54
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\shcorp.local\SysVol\shcorp.local\Policies\{1A69D491-B88A-4F66-B294-4ABEC8C62886}\gpt.ini from a domain controller and was not successful. Group
Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
A warning event occurred. EventID: 0x80001083
Time Generated: 05/02/2014 13:18:00
Event String:
TCP/IP failed to establish an outgoing connection because the selected local endpoint was recently used to connect to the same remote endpoint. This error typically occurs when outgoing connections are opened and closed
at a high rate, causing all available local ports to be used and forcing TCP/IP to reuse a local port for an outgoing connection. To minimize the risk of data corruption, the TCP/IP standard requires a minimum time period to elapse between successive connections
from a given local endpoint to a given remote endpoint.
An error event occurred. EventID: 0xC0002719
Time Generated: 05/02/2014 13:20:41
Event String:
DCOM was unable to communicate with the computer 8.8.4.4 using any of the configured protocols.
An error event occurred. EventID: 0xC0002719
Time Generated: 05/02/2014 13:21:03
Event String:
DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols.
......................... SRVMTZDC01 failed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=SRVMTZDC01,OU=Domain Controllers,DC=shcorp,DC=local and backlink on
CN=SRVMTZDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=shcorp,DC=local
are correct.
The system object reference (serverReferenceBL)
CN=SRVMTZDC01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=shcorp,DC=local
and backlink on
CN=NTDS Settings,CN=SRVMTZDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=shcorp,DC=local
are correct.
The system object reference (frsComputerReferenceBL)
CN=SRVMTZDC01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=shcorp,DC=local
and backlink on CN=SRVMTZDC01,OU=Domain Controllers,DC=shcorp,DC=local
are correct.
......................... SRVMTZDC01 passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : shcorp
Starting test: CheckSDRefDom
......................... shcorp passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... shcorp passed test CrossRefValidation
Running enterprise tests on : shcorp.local
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\SRVMTZDC01.shcorp.local
Locator Flags: 0xe00031bc
PDC Name: \\SRVDC01.shcorp.local
Locator Flags: 0xe00033fd
Time Server Name: \\SRVDC01.shcorp.local
Locator Flags: 0xe00033fd
Preferred Time Server Name: \\SRVDC01.shcorp.local
Locator Flags: 0xe00033fd
KDC Name: \\SRVMTZDC01.shcorp.local
Locator Flags: 0xe00031bc
......................... shcorp.local passed test LocatorCheck
Starting test: Intersite
Skipping site SAO, this site is outside the scope provided by the
command line arguments provided.
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
Skipping site CWB, this site is outside the scope provided by the
command line arguments provided.
Skipping site POA, this site is outside the scope provided by the
command line arguments provided.
Skipping site RIO, this site is outside the scope provided by the
command line arguments provided.
Skipping site VIX, this site is outside the scope provided by the
command line arguments provided.
Skipping site SSA, this site is outside the scope provided by the
command line arguments provided.
Skipping site FOR, this site is outside the scope provided by the
command line arguments provided.
Skipping site BHZ, this site is outside the scope provided by the
command line arguments provided.
Skipping site BSB, this site is outside the scope provided by the
command line arguments provided.
Skipping site RCF, this site is outside the scope provided by the
command line arguments provided.
Skipping site BEL, this site is outside the scope provided by the
command line arguments provided.
......................... shcorp.local passed test Intersite

Adding a Server 2008 R2 Domain Controller at a remote site

Hello. I have been trying to set up a hot site at a remote location. The story is long and involved but a few weeks ago it seemed to be finally working. Our setup is two mirrored 2008 R2 servers at main site, mirrored with Double Take.
The hot site is the same except that so far I only had one server working. The two sites connected via site to site VPN.
About a week later our primary server basically crashed. At first it worked but very slowly. I was on vacation at the time and so I am not sure of the sequence of events, or exactly what errors were presented, but my associate first tried rebooting.
It took over 20 minutes to boot and then it said something to the effect that no domain controllers were available (not sure about this message). He then discovered that the server at the remote site had some fsmo roles assigned to it. He transferred
the roles to the primary at the main site and then demoted the remote server to a workstation (but still a domain member).
After that, rebooting the primary was much faster and everything at the primary site is working again. Now I want to set the remote site up again, but avoid the problem. The way I originally set up the remote server was to use an IFM file, generated
from our primary. This should have made the remote server a catalog server, with DNS (which it did), but as far as I know should not have transferred any fsmo roles.
The remote server(s) are wanted to be in the same domain as the primary. They will also be mirrored from the primary (with Double Take). If we had total failure at the main site, we wish to be able to immediately begin operations at the hot site
(after a fail over). I freely admit that I am swimming out of my depth here. I am not sure that I have selected the correct architecture or used the correct options in setting up the remote servers. I am looking for information about what
went wrong, and whether some other setup is more desirable.
Thanks for any help, Russ
Russ

Philippe, thank you for you answers. I do not understand everything you said but I will address each point as best I can:
1. "In the remote site do you simply do a dcpromo / add the ADDS's role to make the server a active Domain Controller ?" Yes, but I use the method described at
http://technet.microsoft.com/en-us/library/cc753720(v=ws.10).aspx, The GUI method. At step #8 I specified to use advanced mode so I could use the IFM file.
2. "In your AD' Site and Service MMC, do you configured the remote site ?" R do not know what you mean by this. How does one configure the site as 'remote'?
3. "Do you added that remote server as a Global catalogue ?". Yes, when I built the IFM file I specified to add the global catalog.
4. "Do you added the PC in site 1, the IP of those DNS server in them ? (last of course) So the computer in the main site will talk to the remote server in case of a crash." I am not sure I understand this item. After the remote server
was added, all of the members of both domain servers automatically appeared in the DNS of all servers in the domain. I do not recall if the new items were last, but I expect that they would be.
I have since reviewed the happenings with my associate and have a little more information. The order of the problems and the actions taken are:
1. Our primary (production) system was still working but extremely slow, and he observed that the slowness was caused by a lot of traffic with the remote site. Rebooting the production server took over 25 minutes and the server to came up saying
that domain information was not available. After another 30 minutes or so he discovered that the domain data was now available and the server worked, but still slow.
2. He did not check to verify that roles were held by the remote server, but he transferred all roles from the remote to the production server using ntdsutil. I would expect that if the role was not held by the remote, the transfer command would have
shown that fact.
3. He then tried to demote the remote server but had an error that it could not be demoted because "the active directory service is missing mandatory configuration information".
4. He forcefully demoted the remote server.
5. After rebooting the production server again performance was slightly better but still slow (and the rebood was still very slow).
6. After some research he removed the remote domain controller's meta data from the production server and then rebooted the production server again.
At that point reboot was fast (under 5 minutes) and the production system was working at normal speed again.
All of the above leads me to believe that somehow the FSMO roles got added to, or moved to the remote site when I used the IFM file to create the new domain controller. However nothing I have read says that this should happen. I hope someone
here can give me a better answer as to what caused the problem, as I do not wish to interrupt our production system like this again.
Thank you, Russ
PS: Sorry for the delay in getting back to this but some other priorities took me away from it for a week.
Russ

Windows server 2008 r2 operating system not booting in normal mode after unstalled the virus gaurd

Windows server 2008 r2 operating system is not booting in normal mode after i uninstalled the virus guard in the system. I tried to repair the system but repairing option not available in server 2008. i can log in to the system only safe mode.
Please help me to solve this issue as soon as possible .I do not have the any system backup with me .

Hi,
Regarding the issue here, please restart the computer and press F8 until you see the
advanced boot options, select start windows normally,
if it starts with no problem, please check if you have the option boot from safe mode checked:
run->type msconfig->tab boot->boot options, check if the
safe boot is selected, if yes please uncheck it. Then restart the computer to check if this problem still exists.
If the system needs repair, please take a look into the below WIKI article, and check the event viewer to see if any errors for further troubleshooting.:
Windows Server 2008 Repair Steps for No Boot Issues
http://social.technet.microsoft.com/wiki/contents/articles/4162.windows-server-2008-repair-steps-for-no-boot-issues.aspx
Hope this helps
Best regards
Michael
If you have any feedback on our support, please click
here.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Windows Server 2008 DC Migration or NOT?

Greetings fellow Techies & Gurus....
Currently I have a physical Box which is windows 2008 Server STD DC.
What is the best way to transfer the Users & all the necessary setting to Windows 2008 R2? I was thinking should I upgrade the STD to 2008r2 or should I install another Virtual Server which is Windows 2008R2 and make it a DC and let windows 2008 STD
Server DC to populate its configuration and settings to New Windows Server 2008R2 DC. afterwords to take the windows 2008 STD DC offline, and let the Windows 2008R2 Manage the Network.
Can this be done? If yes.... is there are any documentation available I can go through the same
Basically I do not want the users to feel that there is a upgrade to migration going on and I do not want to interrupt the users as well.
Your valuable insights are appreciated.
Thanks
Nilanga

1) make sure you have at least _2_ domain controllers at any time.
2) I think it is easier to promote an aditionnal dc, move the fsmo's and demote the old one. If needed you can re-ip teh new ones to take the ip's of the old ones
3) yes, there are very nice procedures on how to do these things:
http://technet.microsoft.com/en-us/library/cc731188(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/upgrade-domain-controllers-to-windows-server-2008-r2(v=ws.10).aspx
MCP/MCSA/MCTS/MCITP

Upgrade Server 2008 Enterprise Domain Controller to Server 2012 Standard?

Hey there,
We are going to be attempting to upgrade several of our Windows Server 2008 Domain Controllers in our satellite offices from Windows Server 2008 Enterprise to Server 2012 Standard. I know the inplace upgrade will work (tried it on a member server)
but are there any caveats being that they are Domain Controllers? Contacted Microsoft and they said we shouldn't have any issues upgrading, and there is nothing special that has to be done in preparation. (I thought for sure we would have to DCPromo
down before and dcpromo up after the upgrade, but not so much, according to MS) But I figured I would check and see if anyone has done this successfully. I should mention that we already have 2, Windows Server 2012 Domain Controllers in our environment,
and one of them has the FSMO roles. Thanks in advance!

It should work with no problems. My favorite options remains always to demote the DC, re-install it completely and then promoting it again: This is just my own way to work as it makes me sure that I start with a clean base with the fresh install.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile

Deploy Windows Server 2012 R2 domain controller in 2008 domain

Hi,
We have three physical windows 2008 enterprise with SP1 32 bit domain controllers, we need to deploy two additional windows 2012 R2 standard as virtual machines on this domain. Do we need to install SP2 on the existing Windows 2008 sp1 DCs or we are fine?
What are other requirements?

It is not required.
Just your Forest/Domain Functional level should be Windows Server 2003 or higher to be able to add Windows Server 2012 R2 DCs.
Please note that it is always recommended to have your Windows Operating Systems up-to-date to avoid known security attacks and known bugs.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile

Server 2012 Secondary Domain Controller not picking up AD nor DNS responsibilities

I had a single Domain Controller providing AD, DNS and DHCP. I went through the steps to add a Secondary Domain Controller. All the AD and DNS info shows up in the Secondary Server, however, when my original Domain Controller is turned
off, the second Domain Controller is not taking over for AD and DNS.

Hi Bayousmurf,
Good that you made some progress. However, can you please provide us the information on how you acheived transfering FSMO role to another DC since you had some issue earlier?
Your initial intention was to demote the original DC. Please follow the below link for the steps to demote the DC.
http://technet.microsoft.com/en-in/library/jj574104.aspx
Still if I power off the original DC the new one isn't taking up DNS. Still looking into the DNS...
Can you please elaborate what exactly you are looking for? When you power off original DC, you don't see DNS in new DC? Is your DNS active directory integrated? If not please follow the below procedure to make it as a AD integrated. Once done, then, power
off original DC and look in new DC to see if DNS shows up.
http://www.tomshardware.com/faq/id-1954324/configure-active-directory-integrated-dns-zone-windows-server-2012-dns-server.html
Thanks,
Umesh.S.K

An ADO-based application that is compiled in Windows 7 SP1 or in Windows Server 2008 R2 SP1 does not run in earlier versions of Windows

I have read many articles about this problem, but I can't really see where the solution is for me.
I need to compile a Visual C++ program that uses msado15.dll. I have Windows 7 SP1 with Visual Studio 2010. I'm targeting Windows Server 2003, 2008 and 2011.
In the update text in this article: http://blogs.msdn.com/b/psssql/archive/2011/10/03/yes-we-made-a-mistake-and-are-finally-going-to-fix-it.aspx, it says that the fix is published as the article http://support.microsoft.com/kb/2640696. But at other places I
have read that you should not do this update and use the updated msado60.tlb file instead. Where can I find that file, or does it update from "Windows Update"?
I found a "fixed" file called msado60_backcompat.tlb on a blog, after using it it works on WinServer 2003 and 2008 but not on Windows Server 2011.
Any ideas how I should proceed to solve my problem?

Hi flindbys,
Thank you for posting in the MSDN forum.
Based on your description, I’m afraid that it is not the correct forum for this issue, since this forum is to discuss the VS IDE.
If this issue is related to that blog provided by you, my suggestion is that you could add a comment
here, I think you could get dedicated response there.
In addition, I also found some information like the following contents:
Thread handle leak -
http://social.msdn.microsoft.com/Forums/en/sqldataaccess/thread/68e23681-f6b5-4ed5-b963-e63e34eeac2f
http://social.msdn.microsoft.com/Forums/sqlserver/en-US/6f7a8ece-6937-4e7c-82ed-a3f6058be208/msado60backcompati386tlb-on-windows-7-iid-changes?forum=sqldataaccess
http://www.codeproject.com/Articles/225491/Your-ADO-is-broken
Whether this issue is related to the SQL Server Data Access? If it is related to it, maybe you could post this issue to this forum:
http://social.msdn.microsoft.com/Forums/sqlserver/en-US/home?forum=sqldataaccess
Anyway, since it is not the VS IDE issue, I am moving your question to the moderator forum ("Where is the forum for..?"). The owner of the forum will direct you to a right forum. Thanks for your understanding.
Best Regards,
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

Windows Server 2008 R2 Domain Controller NOT logging EventID 4740

Similar Messages

Maybe you are looking for