WSUS and domain controllers
Has anyone arrived at a good GPO(s) for domain controllers to be updated by WSUS? Of course, one in which only half of the domain controllers at each facility receive the updates at one time and another half at a separate time.
Has anyone arrived at a good GPO(s) for domain controllers to be updated by WSUS? Of course, one in which only half of the domain controllers at each facility receive the updates at one time and another half at a separate time.
Well... the conventional wisdom is that Domain Controllers should not have automated installs, but rather monitored installs. So... AUOptions = '3', and a human being to launch the installs and monitor the reboot at a time when appropriate with consideration
to the other Domain Controllers.
However, if you must *schedule* these things, then you'll have to use Active Directory Security Group Filtering, create TWO GPOs for the Domain Controllers OU, and filter one GPO to one half (via Security Group 'A') and filter the other GPO to the other
half (via Security Group 'B').
Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
SolarWinds Head Geek
Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
http://www.solarwinds.com/gotmicrosoft
The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.
Similar Messages
-
Poodle, SSL, and Domain Controllers
Security Gurus,
Can someone please explain to me how I can use Microsoft Network Monitor on a Domain Controller so that I can discover what applications and clients are using SSL 3.0?
I have enabled verbose schannel logging, and with that I know there are clients/apps talking SSL 3.0, however, the event 36880 doesn't give a source address - it just says an SSL handshake completed successfully using the SSL 3.0 protocol.
It's my hope that Network Monitor will reveal the source address of the clients/apps talking SSL 3.0. As you might know, capturing all packets on a DC generates an enormous amount of data; I'm hoping NM has some type of filter that I can use to only
capture the SSL version packets.
Regards,
'T'Senne,
Thank you for your response. However, I cannot disable SSLv3 because there are 3rd party applications that are dependent upon it.
What I'm try to accomplish is finding the source address of clients/apps that are communicating with the Domain Controllers using SSLv3. Once I have those source addresses I can begin communicating with the clients/app owners to let them know we are
disabling SSLv3.
It's my hope that I can achieve this using Network Monitor, however, I don't know what filters to use to capture that information.
Regards,
'T' -
Compatibility Exchange Server 2003 SP2 and Domain controllers Windows Server 2008 R2
Hi all, I have this scenario:
- Two Domain Controllers Windows Server 2003 R2 SP2
- Two mail servers Exchange Server 2003 with the following version:
6.5 (Build 7638.2 Service Pack 2)
I want to upgrade my domain controllers to Windows Server 2008 R2.
My question is whether exchange Server 2003 6.5 (Build 7638.2 Service Pack 2) is supported with Domain Controllers Windows Server 2008 R2.
Can you tell me some official Microsoft website where this reflected?
regards
Microsoft Certified IT Professional Server AdministratorExchange Server 2003 SP2 supports DCs running Windows Server 2008 R2. These DCs should be RWDCs and not RODCs:
Exchange 2003 SP2 will now be supported against writeable Windows Server 2008 R2 Active Directory Servers. Additionally, with the General Availability of Exchange Server 2010, and those looking to standardize on Windows
Server 2008 R2 we have enhanced the supportability of forest and domain functional levels up to Windows Server 2008 R2. This change is effective immediately on Exchange 2003 SP2.
Reference: http://blogs.technet.com/b/exchange/archive/2009/11/30/3408893.aspx
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Autodiscover, domain controllers, and certificate errors
I have just deployed and Exchange 2013 server in one of my sites. I'm having tons of issues with it, but one issue I'm having trouble thinking through goes like this:
All users have email addresses that are [email protected] Domain.com is our internal domain name and also a public domain. Now, in a Windows environment, if you were to nslookup domain.com within our network it
will resolve to any one of the domain controllers. On our infrastructure master DC there is an IIS website, with SSL, that handles certificate services for our internal CA.
Here's my problem: When a user opens Outlook and autodiscover attempts to find their Exchange connection info it first tries to reach the site
https://domain.com/autodiscover/autodiscover.xml. If that PC happens to resolve domain.com to the DC that has our certificate services website on it then the Outlook client sends a certificate error.
If the client is prior to Outlook 2013, the mailbox configuration just halts and throws an error.
What do I do to prevent this?Hi,
Yes, we can have the following “switchers”
PreferLocalXML
ExcludeHttpRedirect
ExcludeHttpsAutoDiscoverDomain
ExcludeHttpsRootDomain
ExcludeScpLookup
ExcludeSrvRecord
ExcludeLastKnownGoodUR
Thanks,
Simon Wu
TechNet Community Support -
Audit/Log GPO changes and Logging of new addition of Domain Controllers in the Event Log
Hi all,
We am trying to log the following items in the event log for Windows 2012. This applies to a domain controller.
1) Audit any changes made to the Group Policy
2) Log the addition of new domain controllers added to the system.
We need the windows event log to record the above events for security purposes. Can anyone advise if this is doable? If yes what are the steps.
Thank youHi,
>>1) Audit any changes made to the Group Policy
We can enable audit for directory service object access and configure specific SACL for group policy files to do this.
Regarding how to step-to-step guide for auditing changes of group policy, the following two blogs can be referred to for more information.
Monitoring Group Policy Changes with Windows Auditing
http://blogs.msdn.com/b/ericfitz/archive/2005/08/04/447951.aspx
Auditing Group Policy changes
http://blogs.msdn.com/b/canberrapfe/archive/2012/05/02/auditing-group-policy-changes.aspx
>>2) Log the addition of new domain controllers added to the system.
Based on my knowledge, when a server is successfully promoted to be domain controller, event ID 29223 will be logged in the System log.
Regarding this point, the following thread can be referred to for more information.
Is an Event ID for a completed Domain Controller promotion logged on the PDC?
https://social.technet.microsoft.com/Forums/windowsserver/en-US/11b18816-7db0-49e2-9a65-3de0e7a9645e/is-an-event-id-for-a-completed-domain-controller-promotion-logged-on-the-pdc?forum=winserverDS
Best regards,
Frank Shen -
Difference between domain controllers and group policy objects in GPMC
Hello,
Am in confusion, someone can tel me the difference between
1.Domain controllers>default domain controller policy and
2.Group policy object>default domain controller policy
In Group policy management console and also i would like know where to define these categories. I normally use second option.
I have attached screenshot for your information.
regards,
Dharanesh,This first/upper item is a link to the GPO, the second/lower item is the actual GPO.
(notice the link, has a shortcut arrow showing)
by default, when you double-click on a link, a message will display which says "you have clicked on a link....." and the messagbox offers a checkbox for "do not display this message again..."
Effectively they are equivalent to a shortcut-to-a-file vs. the actual file.
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Hi
Can someone please advise me about the following question
We are using CUCM ver 7.1.5 , Cisco Unity ver 7.0(2.0) and UCCX ver 7.0(2)
we already have a plan to upgrade them all to the latest versions but in the mean time a need came that we have to upgrade the domain controllers
as follows
Upgrade from Windows 2003 to Windows 2008
Domain Controller host names will change, however replacement servers will assume the IP of the old server as they are brought online.
Similarly, once the Domain Controllers have been upgraded, the existing Certificate Authority will also be moved from Windows 2003 to Windows 2008.
My question will be what will be the impact of this change to the above applications we are using in production
Thank you for your feedback and comments
Abdulif it is possible email me your feed back to my email as below
[email protected]
thank you -
URGENT!! Demoted SBS server and now no other Domain Controllers are functioning
Last night we were demoting a 2003 SBS in a domain. We have 3 other domain controllers that were online and appeared to be functional. All were shown in Sites and Services as GC. However, after demoting the SBS server, our other Domain controllers are not
functioning as GCs or as DCs.
I can get into Sites and Services if I let it fail when it tries to connect to the domain and then tell it to connect to the specific domain controller. But then things don't look quite right. I can't see all the tabs when I drill down to NTDS Settings and
go to properties. The only tabs that show up are Security and Attribute Editor. Same thing with ADUC, I only get some of the tabs. It is like only half of AD is there.
I need some urgent help if anyone can assist.Hi,
In order to identify the cause, I suggest you run
DCDiag command on a Domain Controller, and post out the results for troubleshooting:
Dcdiag
http://technet.microsoft.com/en-us/library/cc731968.aspx
What does DCDIAG actually… do?
http://blogs.technet.com/b/askds/archive/2011/03/22/what-does-dcdiag-actually-do.aspx
Best Regards,
Amy Wang -
Monitor Sysvol and netlogon Share availability on domain controllers
I need to monitor availability of sysvol and Netlogon shares on all our domain controllers around 20 in all.
What is the best way for us to do that.
I have seen scripts that monitor share availability but that would mean i create 40 such 2 times script monitors , that is too much of manual work..
Any advice.I looked into the discovered Inventory (SysVol for windows 2008) I see all theobjects
But the path shows as dc01.domain.com\dc01\sysvol
However we never get notified when the sysvol share is inaccessible.
We have had a number of cases when the DC is online but somehow we cant access the sysvol share
We need a monitor to alert us in such a case;
I modified the our script to include %computername% and targeted it to all dC's group,
Dim oAPI, oBag
Set oAPI = CreateObject("MOM.ScriptAPI")
Set oBag = oAPI.CreatePropertyBag()
Set objFSO = CreateObject("Scripting.FileSystemObject")
strFile = "\\%computername%\sysvol\"
If objFSO.FolderExists(strFile) Then
Call oBag.AddValue("Status","Exist")
Call oAPI.Return(oBag)
Else
Call oBag.AddValue("Status","NotExist")
Call oAPI.Return(oBag)
End If
However the monitor alerted critical immediately.
How should the monitor be.
I though if i put \\%computername%\sysvol\ in the script and send it to all the DC's group then it will start monitoring as \\dc01\sysvol etc -
We have a program called Audit Wizard that we used with Windows 2003 that monitored all clients and alerted my department when a program was installed/uininstalled. since upgrading to windows server 2008R2, the program no longer works correctly.
So we are wondering if it is possible for Windows 2008R2 Domain Controllers, running at a 2008R2 forest and domain level) to be able to audit when a programs are installed/uninstalled on clients and send alerts to our Admins?
If so, How?
Thanks in advance for your help!
Pete MaciasHi Pete,
>>So we are wondering if it is possible for Windows 2008R2 Domain Controllers, running at a 2008R2 forest and domain level) to be able to audit when a programs are installed/uninstalled on clients and send alerts to our Admins?
As far as I know, group policy can't help us do this. If you are interested, we can take a look at System Center Operation Manager and ask for suggestions in the following SCOM forum.
Operations Guide for System Center 2012 - Operations Manager
https://technet.microsoft.com/en-us/library/hh212887.aspx
System Center Operation Manager
https://social.technet.microsoft.com/Forums/systemcenter/en-US/home?category=systemcenteroperationsmanager
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
DNS setup on server bound to AD and using domain controllers for DNS
My server is bound to our AD network and in the network pref I have entered the two IPs for the domain controllers on our network that serve DNS.
My question is, am I right not to enable/configure and start the DNS service on the Mac server since it is getting DNS already?
If yes, how do I confirm that my Mac server is correctly listed in our domain controllers DNS? Should I be concerned that I get the following?
knws3135:~ mactech$ sudo changeip -checkhostname
Password:
Primary address = 10.31.3.135
Current HostName = knws3135.ad.ewsad.net
The DNS hostname is not available, please repair DNS and re-run this tool.Hi
It looks all OK to me? As for the hostname having capitals could pose a problem but only if the Mac Server was its own KDC. Which it is not. If the hostname is defined as you have it now in the AD's DNS Service then leave it alone.
Sometimes even when DNS checks out OK you can still have fundamental errors that only demotion to Standalone will cure. I think this is the point that you are at now. To be honest I would do this. Judging from what you've said there would be very little to lose when you do this apart from managed preferences. These can easily be re-applyed on successful promotion.
needs to be changed so it is configured in Open Directory as connected to a Directory Server
Not sure what you mean by this?
If you have or are about to update your Server to 10.5.4 - which I recommend you do. Then you could follow this procedure:
Demote to Standalone
Stop all Services
Restart the Server
Update to 10.5.4. Restart the Server (this happens anyway)
Make sure your Server resolves on the forward and reverse pointers (again)
If you want run changeip again (you may be surprised)
Use the Active Directory plug in in Directory Utility to bind the Server to the AD. Make sure you use an AD admin account that has authority to do this. De-select 'force home directory creation on startup disk' I have a feeling this will be de-selected anyway.
After successful binding quit out of Directory Utility and launch Server Admin
Select the Open Directory Service
Change the role from Standalone to Open Directory Master
Create the Directory Administrator account's username and password. Don't be tempted to change the UID or use the system admin account's user name. You can use the same password if you wish. What I've done before in the past is to create the diradmin account on the AD first with full authority for the domain.
On successful promotion you should now see in the Overview Pane everything running apart from Kerberos which should be Stopped. This is how it should be. Apple's 10.5.4 Update has took a lot of the donkey work out of this whole process. No need for the command line. Simply click.
If you launch Directory Utility you should now see the server's loopback address has been added in the LDAPv3 Plugin. Also the Server should be topmost in the Search Order under the Authentication and Contacts field. Bind your clients first to the AD and then the OD (make sure use for authentication and contacts are unchecked).
Browse the two nodes, add your groups and apply MCX in the usual way.
Does this help?
Tony -
Replication and AD Domain sevices errors between 2 Domain Controllers
Hi,
I've a 2 Domain Controllers (NJ-DC1-2K8 and NJ-DC2-2K8) setup in VMware Workstation 10. Recently, I've run into different errors in regards to Replication, DNS and AD Domain services. Both of my DC are setup with static IP pointing to each other for fault
tolerance. Initially, One of my DC had a lingering object error which I was able to fix after spending some time. The next day, when I tried to replicate 2 DC, the number of errors grew. Ran dcdiag, it produced a list of crazy errors that I never saw before.
I'm a newbie to the server environment, trying to gain knowledge so I can't get those errors sort out even I tried a lot. I read a lot of online articles on different forums like here Microsoft TechNet trying to overcome this problem but didn't work. I even
removed DNS role and re-added it but same problem. I guess removing the DNS role doesn't remove everything related to DNS. I'm going to upload pictures here of the different errors through the commands I got. I would appreciate if someone can help me to get
it fixed.
Other than that, I also would like to know what is the best way to remove DNS, AD Domain Services and then reinstall them without demoting the server. What are some of the things I would have to keep in mind before doing that. How can I make sure that doing
this wouldn't impact in AD data loss like user account, GP Policies, Computer account and etc....?
Errors are as follows:
1) C:\Users\Administrator>repadmin /syncall
CALLBACK MESSAGE: The following replication is in progress:
From: 66803610-2817-4853-ad3b-70c32a78c04a._msdcs.Fleet.local
To : 9736b2e5-a75e-4991-a481-08c0226ed1c5._msdcs.Fleet.local
CALLBACK MESSAGE: Error issuing replication: 8451 (0x2103):
The replication operation encountered a database error.
From: 66803610-2817-4853-ad3b-70c32a78c04a._msdcs.Fleet.local
To : 9736b2e5-a75e-4991-a481-08c0226ed1c5._msdcs.Fleet.local
CALLBACK MESSAGE: SyncAll Finished.
SyncAll reported the following errors:
Error issuing replication: 8451 (0x2103):
The replication operation encountered a database error.
From: 66803610-2817-4853-ad3b-70c32a78c04a._msdcs.Fleet.local
To : 9736b2e5-a75e-4991-a481-08c0226ed1c5._msdcs.Fleet.local
2) C:\Users\Administrator>repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
NewJersey\NJ-DC1-2K8
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
DSA invocationID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
==== INBOUND NEIGHBORS ======================================
DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
30 consecutive failure(s).
Last success @ 2014-07-06 16:16:49.
CN=Configuration,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
29 consecutive failure(s).
Last success @ 2014-07-06 16:06:25.
CN=Schema,CN=Configuration,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
10 consecutive failure(s).
Last success @ 2014-07-06 15:49:54.
DC=DomainDnsZones,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
30 consecutive failure(s).
Last success @ 2014-07-06 15:49:54.
DC=ForestDnsZones,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
19 consecutive failure(s).
Last success @ 2014-07-06 16:10:47.
Source: NewJersey\NJ-DC2-2K8
******* 30 CONSECUTIVE FAILURES since 2014-07-06 16:16:49
Last error: 8456 (0x2108):
The source server is currently rejecting replication requests.
3) C:\Users\Administrator>dcdiag /replsum
Invalid Syntax: Invalid option /replsum. Use dcdiag.exe /h for help.
C:\Users\Administrator>repadmin /replsum
Replication Summary Start Time: 2014-07-06 21:03:28
Beginning data collection for replication summary, this may take awhile:
Source DSA largest delta fails/total %% error
NJ-DC1-2K8 09d.22h:06m:34s 5 / 5 100 (8457) The destination server is currently rejecting replication requests.
NJ-DC2-2K8 05h:13m:34s 5 / 5 100 (8456) The source server is currently rejecting replication requests.
Destination DSA largest delta fails/total %% error
NJ-DC1-2K8 05h:13m:34s 5 / 5 100 (8456) The source server is currently rejecting replication requests.
NJ-DC2-2K8 09d.22h:06m:34s 5 / 5 100 (8457) The destination server is currently rejecting replication requests.
4) C:\Users\Administrator>dcdiag /test:DNS
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = NJ-DC1-2K8
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: NewJersey\NJ-DC1-2K8
Starting test: Connectivity
......................... NJ-DC1-2K8 passed test Connectivity
Doing primary tests
Testing server: NewJersey\NJ-DC1-2K8
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... NJ-DC1-2K8 passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : Fleet
Running enterprise tests on : Fleet.local
Starting test: DNS
Summary of test results for DNS servers used by the above domain controllers:
DNS server: 128.8.10.90 (d.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
......................... Fleet.local passed test DNS
5) C:\Users\Administrator>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = NJ-DC1-2K8
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: NewJersey\NJ-DC1-2K8
Starting test: Connectivity
......................... NJ-DC1-2K8 passed test Connectivity
Doing primary tests
Testing server: NewJersey\NJ-DC1-2K8
Starting test: Advertising
......................... NJ-DC1-2K8 passed test Advertising
Starting test: FrsEvent
......................... NJ-DC1-2K8 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... NJ-DC1-2K8 failed test DFSREvent
Starting test: SysVolCheck
......................... NJ-DC1-2K8 passed test SysVolCheck
Starting test: KccEvent
......................... NJ-DC1-2K8 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... NJ-DC1-2K8 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... NJ-DC1-2K8 passed test MachineAccount
Starting test: NCSecDesc
......................... NJ-DC1-2K8 passed test NCSecDesc
Starting test: NetLogons
......................... NJ-DC1-2K8 passed test NetLogons
Starting test: ObjectsReplicated
......................... NJ-DC1-2K8 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
From NJ-DC2-2K8 to NJ-DC1-2K8
Naming Context: DC=ForestDnsZones,DC=Fleet,DC=local
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2014-07-06 20:49:06.
The last success occurred at 2014-07-06 16:10:47.
19 failures have occurred since the last success.
Replication has been explicitly disabled through the server options.
[Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
From NJ-DC2-2K8 to NJ-DC1-2K8
Naming Context: DC=DomainDnsZones,DC=Fleet,DC=local
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2014-07-06 21:04:16.
The last success occurred at 2014-07-06 15:49:54.
31 failures have occurred since the last success.
Replication has been explicitly disabled through the server options.
[Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
From NJ-DC2-2K8 to NJ-DC1-2K8
Naming Context: CN=Schema,CN=Configuration,DC=Fleet,DC=local
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2014-07-06 20:49:06.
The last success occurred at 2014-07-06 15:49:54.
10 failures have occurred since the last success.
Replication has been explicitly disabled through the server options.
[Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
From NJ-DC2-2K8 to NJ-DC1-2K8
Naming Context: CN=Configuration,DC=Fleet,DC=local
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2014-07-06 20:49:06.
The last success occurred at 2014-07-06 16:06:25.
29 failures have occurred since the last success.
Replication has been explicitly disabled through the server options.
[Replications Check,NJ-DC1-2K8] A recent replication attempt failed:
From NJ-DC2-2K8 to NJ-DC1-2K8
Naming Context: DC=Fleet,DC=local
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2014-07-06 20:49:06.
The last success occurred at 2014-07-06 16:16:49.
30 failures have occurred since the last success.
Replication has been explicitly disabled through the server options.
......................... NJ-DC1-2K8 failed test Replications
Starting test: RidManager
......................... NJ-DC1-2K8 passed test RidManager
Starting test: Services
......................... NJ-DC1-2K8 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x000003F6
Time Generated: 07/06/2014 20:17:29
Event String: Name resolution for the name 2.5.16.172.in-addr.arpa timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0x0000168E
Time Generated: 07/06/2014 20:18:05
Event String:
The dynamic registration of the DNS record '9736b2e5-a75e-4991-a481-08c0226ed1c5._msdcs.Fleet.local. 600 IN CNAME NJ-DC1-2K8.Fleet.local.'
failed on the following DNS server:
A warning event occurred. EventID: 0x000003F6
Time Generated: 07/06/2014 21:04:01
Event String: Name resolution for the name 1.0.0.127.in-addr.arpa timed out after none of the configured DNS servers responded.
......................... NJ-DC1-2K8 failed test SystemLog
Starting test: VerifyReferences
......................... NJ-DC1-2K8 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : Fleet
Starting test: CheckSDRefDom
......................... Fleet passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Fleet passed test CrossRefValidation
Running enterprise tests on : Fleet.local
Starting test: LocatorCheck
......................... Fleet.local passed test LocatorCheck
Starting test: Intersite
......................... Fleet.local passed test Intersite
6) C:\Users\Administrator>repadmin /showrepl NJ-DC1-2K8
NewJersey\NJ-DC1-2K8
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
DSA invocationID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
==== INBOUND NEIGHBORS ======================================
DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
30 consecutive failure(s).
Last success @ 2014-07-06 16:16:49.
CN=Configuration,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
29 consecutive failure(s).
Last success @ 2014-07-06 16:06:25.
CN=Schema,CN=Configuration,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
10 consecutive failure(s).
Last success @ 2014-07-06 15:49:54.
DC=DomainDnsZones,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 21:04:16 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
31 consecutive failure(s).
Last success @ 2014-07-06 15:49:54.
DC=ForestDnsZones,DC=Fleet,DC=local
NewJersey\NJ-DC2-2K8 via RPC
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
Last attempt @ 2014-07-06 20:49:06 failed, result 8456 (0x2108):
The source server is currently rejecting replication requests.
19 consecutive failure(s).
Last success @ 2014-07-06 16:10:47.
Source: NewJersey\NJ-DC2-2K8
******* 31 CONSECUTIVE FAILURES since 2014-07-06 16:16:49
Last error: 8456 (0x2108):
The source server is currently rejecting replication requests.
7) C:\Users\Administrator>repadmin /showrepl NJ-DC2-2K8
NewJersey\NJ-DC2-2K8
DSA Options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL
Site Options: (none)
DSA object GUID: 66803610-2817-4853-ad3b-70c32a78c04a
DSA invocationID: 3e8ee380-a165-4cef-b311-dadcf30f8406
==== INBOUND NEIGHBORS ======================================
DC=Fleet,DC=local
NewJersey\NJ-DC1-2K8 via RPC
DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
Last attempt @ 2014-07-06 21:04:22 failed, result 8457 (0x2109):
The destination server is currently rejecting replication requests.
53 consecutive failure(s).
Last success @ 2014-06-26 23:01:29.
CN=Configuration,DC=Fleet,DC=local
NewJersey\NJ-DC1-2K8 via RPC
DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
Last attempt @ 2014-07-06 20:52:11 failed, result 8457 (0x2109):
The destination server is currently rejecting replication requests.
10 consecutive failure(s).
Last success @ 2014-06-26 22:56:54.
CN=Schema,CN=Configuration,DC=Fleet,DC=local
NewJersey\NJ-DC1-2K8 via RPC
DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
Last attempt @ 2014-07-06 20:52:11 failed, result 8457 (0x2109):
The destination server is currently rejecting replication requests.
7 consecutive failure(s).
Last success @ 2014-06-26 22:56:56.
DC=DomainDnsZones,DC=Fleet,DC=local
NewJersey\NJ-DC1-2K8 via RPC
DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
Last attempt @ 2014-07-06 20:52:11 failed, result 8457 (0x2109):
The destination server is currently rejecting replication requests.
7 consecutive failure(s).
Last success @ 2014-06-26 22:57:01.
DC=ForestDnsZones,DC=Fleet,DC=local
NewJersey\NJ-DC1-2K8 via RPC
DSA object GUID: 9736b2e5-a75e-4991-a481-08c0226ed1c5
Last attempt @ 2014-07-06 20:52:11 failed, result 8457 (0x2109):
The destination server is currently rejecting replication requests.
23 consecutive failure(s).
Last success @ 2014-06-26 22:57:03.
Source: NewJersey\NJ-DC1-2K8
******* 53 CONSECUTIVE FAILURES since 2014-06-26 23:01:29
Last error: 8457 (0x2109):
The destination server is currently rejecting replication requests.
Please someone go through these different errors and walk me through exactly what I got to do to fix them.
ThanksHi,
Actually, I made copies of those VMs to my external usb 3.0 hdd, so I can load up some of the VMs from it than from my internal hdd since it would freeze on my internal one sometimes. Copied ones worked fine for few days until recently when I started having
these different issues. I did look at USN rollback and applied the fix, didn't work. For the past few days, I been spending endless hours on fixing them but it doesn't look like they are going to be fixed. It's driving me crazy and the bad news is that I've
no backup of my data. I got 2 DC and both have these issues.
Building new domain controllers in VMs won't be a problem for me but I'm worried about losing my AD database in both DCs which includes user and computer accounts and a bunch GPOs.
I'm a newbie to the server environment. Can you please walk me through on exactly how can I save AD database if possible before I start doing the cleanup process on both of my DCs. I read some articles online which provide instructions on how can I cleanup
the AD with Metadata and take both DCs offline but it's all confusing to me. They don't explain anything about saving AD database rather demoting bad DCs. If you know a fix for my DCs that I can apply, so I won't have do it all over and save time. Please let
me know step by step process or whatever you could help me to bring those 2 DCs backup.
Thanks -
2012 Essentials and Backup Domain Controllers
I understand that 2012 Essentials wants to be the domain controller but what happens if I install a second one on the same network/what is the option for a backup domain controller? Is it recommended to have one 2012E and one 2012S?
As far as I can find you can have a second "replica" domain controller, but you can only have one essentials box in the domain (so the replica would just be Windows Server standard), and that must be the master server, eg it must own the FSMO roles.
Check out
http://blogs.technet.com/b/sbs/archive/2007/10/04/debunking-the-myth-about-additional-domain-controllers-replica-dcs-in-an-sbs-domain.aspx which covers many of the limitations and requirements. It doesn't relate to 2012, but I believe the same rules still
apply. -
Windows 2012 Domain Controllers and RC4
We are using Qualysguard as our vulnerability scanner, and we are getting QID 38601, "SSL/TLS use of weak RC4 cipher". While we have created a GPO to disable RC4 on the 2008/2012 servers, we have 4 Domain Controllers that we haven't included in
the GPO yet. I'm wondering if disabling RC4 on 2012 Domain Controllers will cause problems that I'm not forseeing right now.
Does someone out there have any knowledge of this through experience or otherwise?
Thanks in advance.
Hi,
As far as I know, disable RC4 cipher usage in SSL/TLS wouldn’t affect Kerberos related services on Domain Controller, since Key Distribution Center (KDC) just use the available encryption type to encrypt tickets that requested from our clients with
RC4_HMAC_NT.
More information for you:
Disabling RC4 Cipher KB2868725 relation to Kerberos
https://social.technet.microsoft.com/Forums/sqlserver/en-US/836eba80-a070-486d-98b2-69b6325cb40e/disabling-rc4-cipher-kb2868725-relation-to-kerberos?forum=winserversecurity
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Our environment has both 2008R2 and 2012R2 Domain Controllers. Recently one of our Domain Admins started having problems logging onto all servers by remote desktop except for domain controllers. The error message is as follows:
"To log on to this remote computer, you must be granted the Allow log on through Terminal
Services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of the Remote
Desktop Users group or another group that has this right, or if the Remote Desktop Users group does not have this right, you must be granted this right manually"
All the other Domain Admin Accounts do not have this problem. Suggested solutions recommend checking local policies on the individual servers however I feel that is not
right. Also there many servers hence doing that in each member server would be cumbersome. There must be solution that requires a single action for all servers and also does not involve creating a new account. The account was recently used to implement
a Windows 2012R2 WSUS server and besides the DC's, it is the only other server the account can remote into. This is strange. Help please.Hi,
Does that user has permission for remoting before?
To start with, there are two types of user rights; Logon rights & Privileges. In simpler terms these are:
1) Remote Logon: rights to machine
2) Logon: privileges for access to the RDP-TCP Listener
The Remote Logon is governed by the “Allow Logon through Terminal Services” group policy. This is under
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
Also check RDP-TCP listener properties. More information.
“Allow Logon through Terminal Services” group policy and “Remote Desktop Users” group.
http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx
Hope it helps!
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Maybe you are looking for
-
Hi folks I used the cmd R option on booting the MBP and did a disk scan and it reported errors that could not be fixed/repaired. So I opted to install a brand new 1Tbyte Seagate hybrid hard drive and restore from my time machine backup. So I installe
-
Oracle Business Intelligence 11.1.1.7 installation - Creating Domain error
Hi, I am trying to install OBI 11.1.1.7. I already have OBI 10g installed in my machine. I have taken care of the following things like 1) Configuring the Microsoft LoopBack Adapter 2) Configuring Static IP 3) Installing RCU 4) JDK1.7 I have tried to
-
Live paint bucket and eyedropper
Right; I've got my fill color set up in the toolbar using the eye dropper. Now I activate the 'live paint bucket' tool, and the fill color vanishes. So I hit 'i' for the eyedropper again and lose the bucket tool. The color picker the doesn't have eye
-
ITunes won't let me edit music info.
does anyone know how to fix that so it lets me edit the info & change the music volume?
-
Dear experts. my sap is installed on HP IVM(vertual server) and i have a NFS file system /backup mounted for taking the backup in base OS. we are using SAN. i issue is when i am taking the backup from db2 level it is creating a file on the location b