[ActiveDir] cleanup AD connections after move server to different site
A computer consultant in a remote dept decided to promote his member server to a DC without telling anyone in advance. Since the dept was part of the default first site, that is where the DC was placed. Not good. Users started authenticating across the WAN. I created a site for that dept, linked the subnet, and moved the server. All seems to be well, but the original Active Directory RPC connections to the other servers in the first site are still listed under the server NTDS settings. I'm having difficulty finding documentation on how to clean up or remove these settings. Can someone point me in the right direction. Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] cleanup AD connections after move server to diffe rent site
Excellent, thank you -Original Message- From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Thursday, November 13, 2003 15:58 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: re: [ActiveDir] cleanup AD connections after move server to different site Cindy, Verify the Subnet data is replicated, and then trigger the KCC (repadmin /kcc or in Replmon) you can just delete the connection that was created by the KCC, and whe nti rusn again it will add them if needed. If you moved it to a new site, and you created the proper site-link, it wll need a connection to the other site BTw. Jef Original Message: >From: "Rittenhouse, Cindy" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: [ActiveDir] cleanup AD connections after move server to different site >Date: Thu, 13 Nov 2003 15:50:01 -0500 > >A computer consultant in a remote dept decided to promote his member server >to a DC without telling anyone in advance. Since the dept was part of the >default first site, that is where the DC was placed. Not good. Users started >authenticating across the WAN. I created a site for that dept, linked the >subnet, and moved the server. All seems to be well, but the original Active >Directory RPC connections to the other servers in the first site are still >listed under the server NTDS settings. I'm having difficulty finding >documentation on how to clean up or remove these settings. Can someone point >me in the right direction. >Thanks > >Cynthia Rittenhouse MCSE,CCNA >LAN Administrator >County of Lancaster >Lancaster, PA 17602 >Phone: (717)293-7274 > >List info : http://www.activedir.org/mail_list.htm >List FAQ: http://www.activedir.org/list_faq.htm >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Policy to distribute domain wide HOSTS file
Jeff, If you are sure you don't want to go the DNS route (which would be my first choice), we have done this by creating the host file, placing it in the sysvol\domain\scripts folder, creating a .bat file in the scripts folder to "copy \\dcxx\sysvol\yourdomain\scripts\hosts c:\winnt\system32\drivers\etc", and calling the .bat file from the users logon script. It's not very glamorous. but it worked. -Original Message- From: Dolphin, Jeff [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 30, 2003 11:44 To: 'ActiveDir ([EMAIL PROTECTED]) Subject: [ActiveDir] Policy to distribute domain wide HOSTS file Either I've been hit with the stupid stick or I'm looking in the wrong place! Can anyone assist me in creating a policy to add an entry to the HOSTS file on our domain computers? Thank you for any help... List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] kerberos srv records not created
A consultant at a remote site attempted to DCPROMO a W2K server with the authoritative domain DNS server listed as secondary and an external ISP DNS server as primary. I am amazed that Active Directory actually installed, even in the correct site, but now he can't logon to the server. In examining my DNS records, the DC registered its ldap srv records, but not the kerberos or kpasswd records. Can I manually go ahead and create these srv records or should I try to remove active directory and then dcpromo again? Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT-E2K3 migration
I have an Exchange 5.5 organization with 2 sites. The first site is W2K native mode and ready to be migrated to E2K3, but the second site is still a Windows NT 4.0 domain. I'm not exactly clear on what the effects of migrating the first site Exchange servers to E2K3 will have on the second site Exchange 5.5 server. Will they still be able to communicate, or do I have to wait until the Windows NT 4.0 domain gets upgraded? There is a trust in place between the domains. Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT - peculiar permissions
Hi, I have a permissions issue. We recently moved a Novell 5.1 server to a Windows 2000 server in a Windows 2000 AD. We backed up the files from the NetWare server to tape (Backup Exec) and restored to the W2K server. We gave a user full control to a folder, there are no deny permissions set. When you view the security tab on the folder properties, she is listed with full control. This user is still unable to rename or even create a file or folder. The response is she does not have sufficient rights. Has anybody else had a similar problem? Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT - peculiar permissions
yes, tried that first. The strange thing is when I check the users effective permissions on the folder, she has full control. -Original Message- From: James Payne [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 29, 2004 13:56 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] OT - peculiar permissions Have you tried to reset the permissions on the files in that folder? "Rittenhouse, Cindy" <[EMAIL PROTECTED] To o.lancaster.pa.us [EMAIL PROTECTED] > cc Sent by: [EMAIL PROTECTED] Subject ail.activedir.org [ActiveDir] OT - peculiar permissions 06/29/2004 01:49 PM Please respond to [EMAIL PROTECTED] tivedir.org Hi, I have a permissions issue. We recently moved a Novell 5.1 server to a Windows 2000 server in a Windows 2000 AD. We backed up the files from the NetWare server to tape (Backup Exec) and restored to the W2K server. We gave a user full control to a folder, there are no deny permissions set. When you view the security tab on the folder properties, she is listed with full control. This user is still unable to rename or even create a file or folder. The response is she does not have sufficient rights. Has anybody else had a similar problem? Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] unable to change default domain policy security settings
Our agency recently adopted a new security policy that required changes to the default domain policy security settings, specifically the password policy and account lockout policy. I have change the policy several times, but it keeps reverting back to the previous policy. We have 4 DCs, yesterday I set the policy on DC3 and forced a replication to DC1, DC2, and DC4. I checked each DC and the settings were correct. This morning the policy had reverted to the old settings. I am at a loss. How do I find out what is causing the policy to reset itself to the old settings? Thanks in Advance Cynthia Rittenhouse, MCSE Network Administrator County of Lancaster Lancaster, PA 17602
RE: [ActiveDir] DNS Inconsistency
This may be a little simplistic and naive, but if you didn't maintain reverse lookup zones, the problem would be eliminated. What would the repercussions be to maintaining only forward lookup zones on a internally used DNS? -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 15:19 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS Inconsistency We run with Secure Updates only on all our zones. If you either don't want Win9x and NT clients listed, or if you don't have any of those clients, then you're all set. Altnerately, you can set the DHCP server to register on behalf of the downlevel clients, which also doesn't cause any issues. In either case, there is no need for the DNS Proxy group membership to be modified. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -Original Message- > From: Todd Povilaitis [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 18, 2003 1:22 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] DNS Inconsistency > > > Is this also true where only secure updates are allowed for > the server or zone? One of the immediate effects of allowing > only secure updates (in addition to scavenging) was the > removal of all non-member (9x, NT) machine's A records from > the zone. This is what we wanted. > > -Original Message- > From: Roger Seielstad [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 18, 2003 10:07 > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] DNS Inconsistency > > > Your second statement, about the DNS proxy group, is only true for > supporting downlevel clients. In addition, it opens up some new and > interesting security issues, because now your DHCP servers > can injecy ANY > record they want into DNS, including bogus DC and GC records. > > -- > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -Original Message- > > From: Todd Povilaitis > [mailto:[EMAIL PROTECTED]] > > Sent: Monday, February 17, 2003 11:57 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] DNS Inconsistency > > > > > > I had the very same problem. It was affecting my scripts > > because I wasn't connecting to the machines I thought I was. > > > > * You need to enable DNS scavenging. Don't set anything > > below 48 hours. > > * If you are using DHCP, add your DHCP servers to the > > DnsUpdateProxy group. > > > > -Todd > > > > -Original Message- > > From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] > > Sent: Monday, February 17, 2003 05:32 > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] DNS Inconsistency > > > > > > Hi Guys, > > > > I am having a major problem in my organization over here. I > > have set up active directory for about 800 users and about > > 500 workstations. But for some reasons or the other my DNS > > seems to be misbehaving. > > When I ping a host I get a reply from a particular IP > > address, but when I do a ping -a of the same IP address I get > > an entirely different host. For some reason or the other the > > record I have in my forward lookup zones and my reverse > > lookup zones are not synchronized. > > Is there any way I can resolve this inconsistency because it > > gets worse and worse everyday. Is there any tool I can use to > > correct this. > > > > Thanks > > Seyi > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ: http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ: http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] AD and DNS Reverse Lookup Zones
In our organization, our internal DNS server does not maintain reverse lookup zones. It has always been that way and since we have never had any issues, my manager see no need to change. We are preparing to upgrade our NT domain to AD. Are there any specific reason requiring reverse lookup zones in AD. What are the implications of continuing with only Forward Lookup Zones. Any input is appreciated. Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] bogus DNS entries
Please help. I have 3 servers, in 2 different domains that keep showing up in DNS with both their correct ip address and an entry with ip address 192.168.234.235. I keep deleting these entries, but they keep reappearing. There must be some significance to this ip address. Does anyone have an idea where it may be coming from, or how I can permanently delete the entry. I have DNS running on a W2K server, it is not AD integrated. These servers do have 2 NICs, but the unused NIC has been disabled. Most of my servers have 2 NICs, but the problem is only with these 3. They are all W2K servers. Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] bogus DNS entries
No, I can not ping it and nbtstat results host not found. -Original Message- From: Bryan Schlegel [mailto:[EMAIL PROTECTED] Sent: Monday, June 09, 2003 13:18 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] bogus DNS entries Can you run nbtstat -a 192.168.234.235 from the command line, can you ping the number? -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED] Sent: Monday, June 09, 2003 1:12 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] bogus DNS entries Please help. I have 3 servers, in 2 different domains that keep showing up in DNS with both their correct ip address and an entry with ip address 192.168.234.235. I keep deleting these entries, but they keep reappearing. There must be some significance to this ip address. Does anyone have an idea where it may be coming from, or how I can permanently delete the entry. I have DNS running on a W2K server, it is not AD integrated. These servers do have 2 NICs, but the unused NIC has been disabled. Most of my servers have 2 NICs, but the problem is only with these 3. They are all W2K servers. Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] bogus DNS entries
Thank you very much, this is exactly my problem, all 3 of these servers have DRACIII cards. -Original Message- From: Bryan Schlegel [mailto:[EMAIL PROTECTED] Sent: Monday, June 09, 2003 13:37 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] bogus DNS entries Sorry I don't have too much, check these links out. Maybe KB article Q292822 could help you out. http://support.microsoft.com/?kbid=292822 http://support.ap.dell.com/docs/software/smdrac3/RAC/en/readme/read33.tx t "* Due to functional details that are specific to Windows Dynamic DNS servers, the RAC internal PPP IP address is broadcast to the Dynamic DNS service on servers running Windows 2000. The Dynamic DNS service stores that particular IP address in its DNS lookup table and associates it with the name of the system that hosts the RAC. This action causes problems with Active Directory under Windows. The default value for a RAC's internal PPP IP address is 192.168.234.235, but the address can be changed by the user. This issue is a known problem, and there is an article and a hot fix available from Microsoft. The article is Q292822. Downloading the fix and implementing the steps in the article solves the problem." -Original Message----- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED] Sent: Monday, June 09, 2003 1:22 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] bogus DNS entries No, I can not ping it and nbtstat results host not found. -Original Message- From: Bryan Schlegel [mailto:[EMAIL PROTECTED] Sent: Monday, June 09, 2003 13:18 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] bogus DNS entries Can you run nbtstat -a 192.168.234.235 from the command line, can you ping the number? -----Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED] Sent: Monday, June 09, 2003 1:12 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] bogus DNS entries Please help. I have 3 servers, in 2 different domains that keep showing up in DNS with both their correct ip address and an entry with ip address 192.168.234.235. I keep deleting these entries, but they keep reappearing. There must be some significance to this ip address. Does anyone have an idea where it may be coming from, or how I can permanently delete the entry. I have DNS running on a W2K server, it is not AD integrated. These servers do have 2 NICs, but the unused NIC has been disabled. Most of my servers have 2 NICs, but the problem is only with these 3. They are all W2K servers. Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] bogus DNS entries
Apparently, Dell has a fix for this problem on their 2650 servers. Check the Dell Premier site for BR57110.exe. -Original Message- From: Wright, T. MR NSSB [mailto:[EMAIL PROTECTED] Sent: Monday, June 09, 2003 14:52 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] bogus DNS entries I actually have the same exact problem with a Dell PE server... I tried disabling the DRAC during boot as I thought that may be the cause and that was no help. I also tried disabling Dynamic DNS registration on that interface after I read this KB article http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q246804 and that didn't help. I just tried what John Bjelke suggested except that I just disabled the "hidden interfaces" rather than remove them and that seems to have done the job. Thanks for the suggestions. Thanks, -Tim Wright -Original Message- From: Bryan Schlegel [mailto:[EMAIL PROTECTED] Sent: Monday, June 09, 2003 1:37 PM To: [EMAIL PROTECTED] Sorry I don't have too much, check these links out. Maybe KB article Q292822 could help you out. http://support.microsoft.com/?kbid=292822 http://support.ap.dell.com/docs/software/smdrac3/RAC/en/readme/read33.tx t "* Due to functional details that are specific to Windows Dynamic DNS servers, the RAC internal PPP IP address is broadcast to the Dynamic DNS service on servers running Windows 2000. The Dynamic DNS service stores that particular IP address in its DNS lookup table and associates it with the name of the system that hosts the RAC. This action causes problems with Active Directory under Windows. The default value for a RAC's internal PPP IP address is 192.168.234.235, but the address can be changed by the user. This issue is a known problem, and there is an article and a hot fix available from Microsoft. The article is Q292822. Downloading the fix and implementing the steps in the article solves the problem." -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED] Sent: Monday, June 09, 2003 1:22 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] bogus DNS entries No, I can not ping it and nbtstat results host not found. -Original Message- From: Bryan Schlegel [mailto:[EMAIL PROTECTED] Sent: Monday, June 09, 2003 13:18 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] bogus DNS entries Can you run nbtstat -a 192.168.234.235 from the command line, can you ping the number? -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED] Sent: Monday, June 09, 2003 1:12 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] bogus DNS entries Please help. I have 3 servers, in 2 different domains that keep showing up in DNS with both their correct ip address and an entry with ip address 192.168.234.235. I keep deleting these entries, but they keep reappearing. There must be some significance to this ip address. Does anyone have an idea where it may be coming from, or how I can permanently delete the entry. I have DNS running on a W2K server, it is not AD integrated. These servers do have 2 NICs, but the unused NIC has been disabled. Most of my servers have 2 NICs, but the problem is only with these 3. They are all W2K servers. Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] AD upgrade
I finally have a date set for my AD upgrade. It will be in in place upgrade of our NT domain. I've done this procedure 3 times in my test lab and I'm 95% confident. What I don't know is what impact the upgrade process will have on our end users accessing network resources during the upgrade process. DHCP and WINS are on member servers, but our DNS server will promoted to a DC immediately after the PDC upgrade is complete. Are there any specific issues I should be aware of? I have a 7x24 network (don't we all), so taking the network down is not a viable option. Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD upgrade
Brenda, Thank you. I had no specific issues of concern. I was just looking for feedback from someone who had gone through the process, something to give me a little heads up on what the users may experience during the upgrade. -Original Message- From: Brenda Frazier [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 01, 2003 19:35 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD upgrade Cindy, We were in a similar situation. We did our upgrade on a Saturday morning advising our users there would be periodic, but short outages as we were upgrading the domain. As long as one NT4 domain controller and DNS/WINS server was available, all were happy. Unless your PDC and DNS servers have resources the users need access to, the users probably won't notice anything until they see the Directory icon show up under My Network Places\Entire Network, providing you aren't immediately using and applying GPOs.. Monday morning the users came in and logged on using their usual (Pre-Windows 2000) logon with no problems. We stayed in mixed mode for a few months until we were able to retire the NT4 DCs. Only the very observant noticed security policies were being applied to the workstations as they started finding the AD domain controllers. The other thing that cropped up was we had to remind the users not to change their password while logged on to multiple machines. Do you have a particular issue you are concerned with? Brenda Frazier Systems Engineer Belkin Corporation Information Services 310 604-2030 310 604-2022 fax www.belkin.com -Original Message----- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 01, 2003 6:38 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD upgrade I finally have a date set for my AD upgrade. It will be in in place upgrade of our NT domain. I've done this procedure 3 times in my test lab and I'm 95% confident. What I don't know is what impact the upgrade process will have on our end users accessing network resources during the upgrade process. DHCP and WINS are on member servers, but our DNS server will promoted to a DC immediately after the PDC upgrade is complete. Are there any specific issues I should be aware of? I have a 7x24 network (don't we all), so taking the network down is not a viable option. Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Anonymous Logon
I successfully upgraded my NT domain to AD yesterday. I now find my DC security log on the PDC emulator filling up twice a day. It is set to 2048 KB, do not overwrite (I have to save them for 3 years). The majority of events are Anonymous logons. Is it normal to have this quantity of Anonymous logons? Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anonymous Logon
Does anyone have any experience with MonitorWare. Since I'll need a syslog server, I'd like one that will also work with the logs on our Cisco devices? -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 23:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, If you're going to have to keep all audit entries, you're going to have a tough time. I can help decipher these records for you (I do a lot of this!), but in a nutshell you've recorded a successful logoff (the Event 538) and a successful network logon via the Kerberos authentication package by the user PSDC1 - who looks to be a machine. In fact, one of your DCs. Yes, they do logon and logoff of the domain - typically to connect to services that it needs. This one (the Event 540) was a logon to the domain, where the previous was not a logoff from the domain proper. A Logon type 3 tells you that it was via the network, while a type 2 is interactive (too bad you can't tell if it was actually at the console). Less common types are 4 (batch), 5 (service), 7 (unlocked workstation), 8 (plaintext password) or 9 (impersonated logon). The Logon process and authentication package notes what type of process was spawned to authenticate the user from the point it connected to the session through authentication. You might see Kerberos (network), NTLM (network), or User32/Negotiate (Local). Realm associated events to MIT Kerberos realms should record as Kerberos authentication. Bottom line: Ignore the SYSTEM (usually a service doing what it needs) and the machine name events logging on. They are irrelevant and generally service and process related to normal operation of the network. Do, however, take note of the user logon and logoffs. The Logon ID field will stay with the user from Logon through the logoff of this session. You should be able to always associate a 540 Event to a corresponding 538 Event. However, be vigilant that a 538 is not always the same. One might indicate a network logoff, one might indicate and net use disconnection and another might record an Interactive logoff or an auto disconnect. As to what to do about spurious events that mean nothing when dealing with user activity, I'd suggest a more manageable solution such as a syslog server for Windows events and filter the records that you want going to the syslog server. This not only collects all of the server's audit events at one place but also allows you to get rid of the events that play no part in true auditing of the server. Do a Google search on Windows Syslog and you'll find a number of options - one of which should suit. Hope this helps! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Tuesday, August 05, 2003 3:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems that either way, the logs fill with quite a bit of basically useless information. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 18:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, My initial thought on this, understanding the process, is that everyone is Anonymous when they first hit the server. A record of this 'anonymous' access is made, and the process continues where you actually identify yourself. Clearly, this is going to be different if you are running a web server, where the access might be mostly anonymo
RE: [ActiveDir] Anonymous Logon
Thanks to all for the references and responses. I think I'm on the right path, I've ordered the MonitorWare. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 00:22 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Nope - MonitorWare. Tested it and it worked well in the homogenous environment. Fairly configurable and it will allow me to use eventcomb first to determine what logs I want to send. This was I can get rid of the Service and SYSTEM related events and the extraneous 'crap' (technical term, you know) that has absolutely nothing to do with anything of value. http://www.eventreporter.com/en/ Regards, Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, August 07, 2003 8:14 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon How are you sending the Windows event logs to a syslog server? Is that Kiwi as well? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 06, 2003 7:19 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous Logon > > > Cindy, > > I've evaluated and have recommended MonitorWare to our Security > Director for the needs of our environment which is combined Enterprise > with Cisco, Windows, Unix (all flavors) ACDs, and Tandem systems. > > Clearly, our ability to send syslog formatted logs makes sense, as > we're not the only players, just a bit more adaptable. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, > Cindy > Sent: Wednesday, August 06, 2003 3:11 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Anonymous Logon > > Does anyone have any experience with MonitorWare. Since I'll need a > syslog server, I'd like one that will also work with the logs on our > Cisco devices? > > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 05, 2003 23:03 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous Logon > > > Cindy, > > If you're going to have to keep all audit entries, you're going to > have a tough time. I can help decipher these records for you (I do a > lot of this!), but in a nutshell you've recorded a successful logoff > (the Event > 538) and a successful network logon via the Kerberos authentication > package by the user PSDC1 - who looks to be a machine. In fact, one > of your DCs. > Yes, they do logon and logoff of the domain - typically to connect to > services that it needs. This one (the Event 540) was a logon to the > domain, where the previous was not a logoff from the domain proper. > > A Logon type 3 tells you that it was via the network, while a type 2 > is interactive (too bad you can't tell if it was actually at the > console). > Less common types are 4 (batch), 5 (service), 7 (unlocked > workstation), 8 (plaintext password) or 9 (impersonated logon). > > The Logon process and authentication package notes what type of > process was spawned to authenticate the user from the point it > connected to the session through authentication. You might see > Kerberos (network), NTLM (network), or User32/Negotiate (Local). > Realm associated events to MIT Kerberos realms should record as > Kerberos authentication. > > Bottom line: Ignore the SYSTEM (usually a service doing what it > needs) and the machine name events logging on. They are irrelevant > and generally service and process related to normal operation of the > network. Do, however, take note of the user logon and logoffs. The > Logon ID field will stay with the user from Logon through the logoff > of this session. You should be able to always associate a 540 Event > to a corresponding 538 Event. > However, be vigilant that a 538 is not always the same. One might > indicate a network logoff, one might indicate and net use > disconnection and another might record an Interactive logoff or an > auto disconnect. > > As to what to do about spurious events that mean nothing when dealing > with user activity, I'd suggest a more manageable solution such as a > syslog server for Windows e
RE: [ActiveDir] Anonymous Logon
I would not have been surprised to see this on a web server, but the domain controllers being audited do not have either www or ftp services running. I was not prepared for the voluminous amount of system and anonymous entries in the log. I've increased the log size to 5MB on each DC and have them scheduled to backup to a remote server every day at 23:55. I'm looking into purchasing a syslog server, it seems the only viable way to manage this mess. -Original Message- From: rick reynolds [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 10:10 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Anonymous Logon If web services or ftp are running on those, both those services allow anon to access the main page, - Original Message - From: "Rittenhouse, Cindy" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, August 05, 2003 1:02 PM Subject: RE: [ActiveDir] Anonymous Logon > Rick, > The security logs in question are on my Windows 2000 domain controllers, > PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT > Authority\Anonymous Logon > User Logoff: > User Name: ANONYMOUS LOGON > Domain: NT AUTHORITY > Logon ID: (0x0,0xCB82F) > Logon Type: 3 > > and Event 540 NT Authority\System Logons > Successful Network Logon: > User Name: PSDC1$ > Domain: LC_POLICE > Logon ID: (0x0,0xCBE63) > Logon Type: 3 > Logon Process: Kerberos > Authentication Package: Kerberos > Workstation Name: > > These don't appear to give me any specific information. > > I need to keep records for 3 years that show when a user logged onto the > network and from which workstation. When I audit Account Logon, I get the > information, but the user is always System, so there is no easy way to > filter for a specific user name. When I use Audit Logon events, I can filter > by user name, but I'm filling 75% of the log with Anonymous and System > logons. I'm generating about 8MB of security log daily between the two DCs, > so I'm not sure what is the most efficient way to configure the audit policy > on my DCs. It seems that either way, the logs fill with quite a bit of > basically useless information. > > > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Monday, August 04, 2003 18:26 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous Logon > > > Cindy, > > My initial thought on this, understanding the process, is that everyone is > Anonymous when they first hit the server. A record of this 'anonymous' > access is made, and the process continues where you actually identify > yourself. > > Clearly, this is going to be different if you are running a web server, > where the access might be mostly anonymous, unless set to some manner of > authentication (Windows, Basic, etc.) > > Now, for more detail, if you want to post some of the records that you're > seeing (you should be able to follow the authentication trail via the ID's > in the audit records) I can help you identify what is going on and what the > anonymous access is all about. It would help to know what type of server > this is, as well. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy > Sent: Monday, August 04, 2003 1:35 PM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] Anonymous Logon > > I successfully upgraded my NT domain to AD yesterday. I now find my DC > security log on the PDC emulator filling up twice a day. It is set to 2048 > KB, do not overwrite (I have to save them for 3 years). The majority of > events are Anonymous logons. Is it normal to have this quantity of Anonymous > logons? > > Cynthia Rittenhouse MCSE,CCNA > LAN Administrator > County of Lancaster > Lancaster, PA 17602 > Phone: (717)293-7274 > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anonymous Logon
Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems that either way, the logs fill with quite a bit of basically useless information. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 18:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, My initial thought on this, understanding the process, is that everyone is Anonymous when they first hit the server. A record of this 'anonymous' access is made, and the process continues where you actually identify yourself. Clearly, this is going to be different if you are running a web server, where the access might be mostly anonymous, unless set to some manner of authentication (Windows, Basic, etc.) Now, for more detail, if you want to post some of the records that you're seeing (you should be able to follow the authentication trail via the ID's in the audit records) I can help you identify what is going on and what the anonymous access is all about. It would help to know what type of server this is, as well. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Monday, August 04, 2003 1:35 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Anonymous Logon I successfully upgraded my NT domain to AD yesterday. I now find my DC security log on the PDC emulator filling up twice a day. It is set to 2048 KB, do not overwrite (I have to save them for 3 years). The majority of events are Anonymous logons. Is it normal to have this quantity of Anonymous logons? Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] sysvol not replicating
Two days ago a consulting firm upgraded a BDC at a remote location to Windows 2000. After the upgrade users had all types of trouble connecting. It seems the sysvol is not replicating because the Do_Not_Remove_NtFrs_PreInstall_Directory, Policies directory, and Scripts directory do not exist on the remote server in either the sysvol\domain or the sysvol\sysvol directory. The rest of AD seems to be replicating fine. Can I simply copy those directories from one of my DCs to the DC in the remote location? Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] sysvol not replicating
results from dcdiag Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: EastCocalicoPD\ECPDC Starting test: Connectivity . ECPDC passed test Connectivity Doing primary tests Testing server: EastCocalicoPD\ECPDC Starting test: Replications . ECPDC passed test Replications Starting test: NCSecDesc . ECPDC passed test NCSecDesc Starting test: NetLogons . ECPDC passed test NetLogons Starting test: Advertising Warning: DsGetDcName returned information for \\psdc1.police.lancco.pa.us, when we were trying to reach ECPDC. Server is not responding or is not considered suitable. . ECPDC failed test Advertising Starting test: KnowsOfRoleHolders . ECPDC passed test KnowsOfRoleHolders Starting test: RidManager . ECPDC passed test RidManager Starting test: MachineAccount . ECPDC passed test MachineAccount Starting test: Services . ECPDC passed test Services Starting test: ObjectsReplicated . ECPDC passed test ObjectsReplicated Starting test: frssysvol Error: No record of File Replication System, SYSVOL started. The Active Directory may be prevented from starting. There are errors after the SYSVOL has been shared. The SYSVOL can prevent the AD from starting. . ECPDC passed test frssysvol Starting test: kccevent . ECPDC passed test kccevent Starting test: systemlog An Error Event occured. EventID: 0x041B Time Generated: 08/29/2003 10:50:20 (Event String could not be retrieved) . ECPDC failed test systemlog Running enterprise tests on : LANCCO.ROOT Starting test: Intersite . LANCCO.ROOT passed test Intersite Starting test: FsmoCheck . LANCCO.ROOT passed test FsmoCheck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 10:39 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] sysvol not replicating whooah... easy. Can you do a dcdiag and post the results please. Robert Rutherford +44 (0)1305 208232 +44 (0)7970 122362 "Rittenhouse, Cindy" <[EMAIL PROTECTED]To: [EMAIL PROTECTED] ster.pa.us> cc: Sent by:Subject: [ActiveDir] sysvol not replicating [EMAIL PROTECTED] ivedir.org 29/08/2003 15:32 Please respond to ActiveDir Two days ago a consulting firm upgraded a BDC at a remote location to Windows 2000. After the upgrade users had all types of trouble connecting. It seems the sysvol is not replicating because the Do_Not_Remove_NtFrs_PreInstall_Directory, Policies directory, and Scripts directory do not exist on the remote server in either the sysvol\domain or the sysvol\sysvol directory. The rest of AD seems to be replicating fine. Can I simply copy those directories from one of my DCs to the DC in the remote location? Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ** This E-mail and any files transmitted with it are in commercial confidence and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the Administrator by E-mail ([EMAIL PROTECTED]). Any views or opinions expressed are solely those of the author and do not necessarily represent those of DEK International., or its affiliates. ** This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.dek.com ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Li
RE: [ActiveDir] sysvol not replicating
I can not map to \\servername\netlogon, the directory does not exist. -Original Message- From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 12:23 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] sysvol not replicating Just a guess here - but can you map to \\servername\netlogon? If you can - what is the value of: HKEY_LOCAL_MACHINE System CurrentControlSet Services Netlogon Parameters Script R/Bill -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 11:26 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] sysvol not replicating results from dcdiag Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: EastCocalicoPD\ECPDC Starting test: Connectivity . ECPDC passed test Connectivity Doing primary tests Testing server: EastCocalicoPD\ECPDC Starting test: Replications . ECPDC passed test Replications Starting test: NCSecDesc . ECPDC passed test NCSecDesc Starting test: NetLogons . ECPDC passed test NetLogons Starting test: Advertising Warning: DsGetDcName returned information for \\psdc1.police.lancco.pa.us, when we were trying to reach ECPDC. Server is not responding or is not considered suitable. . ECPDC failed test Advertising Starting test: KnowsOfRoleHolders . ECPDC passed test KnowsOfRoleHolders Starting test: RidManager . ECPDC passed test RidManager Starting test: MachineAccount . ECPDC passed test MachineAccount Starting test: Services . ECPDC passed test Services Starting test: ObjectsReplicated . ECPDC passed test ObjectsReplicated Starting test: frssysvol Error: No record of File Replication System, SYSVOL started. The Active Directory may be prevented from starting. There are errors after the SYSVOL has been shared. The SYSVOL can prevent the AD from starting. . ECPDC passed test frssysvol Starting test: kccevent . ECPDC passed test kccevent Starting test: systemlog An Error Event occured. EventID: 0x041B Time Generated: 08/29/2003 10:50:20 (Event String could not be retrieved) . ECPDC failed test systemlog Running enterprise tests on : LANCCO.ROOT Starting test: Intersite . LANCCO.ROOT passed test Intersite Starting test: FsmoCheck . LANCCO.ROOT passed test FsmoCheck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 10:39 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] sysvol not replicating whooah... easy. Can you do a dcdiag and post the results please. Robert Rutherford +44 (0)1305 208232 +44 (0)7970 122362 "Rittenhouse, Cindy" <[EMAIL PROTECTED]To: [EMAIL PROTECTED] ster.pa.us> cc: Sent by:Subject: [ActiveDir] sysvol not replicating [EMAIL PROTECTED] ivedir.org 29/08/2003 15:32 Please respond to ActiveDir Two days ago a consulting firm upgraded a BDC at a remote location to Windows 2000. After the upgrade users had all types of trouble connecting. It seems the sysvol is not replicating because the Do_Not_Remove_NtFrs_PreInstall_Directory, Policies directory, and Scripts directory do not exist on the remote server in either the sysvol\domain or the sysvol\sysvol directory. The rest of AD seems to be replicating fine. Can I simply copy those directories from one of my DCs to the DC in the remote location? Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ** This E-mail and any files transmitted
RE: [ActiveDir] sysvol not replicating
This is the last FRS event log, all directories listed are present, the file system is NTFS with SP4. The File Replication Service is unable to add this computer to the following replica set: "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" This could be caused by a number of problems such as: -- an invalid root path, -- a missing directory, -- a missing disk volume, -- a file system on the volume that does not support NTFS 5.0 The information below may help to resolve the problem: Computer DNS name is "ecpdc.police.lancco.pa.us" Replica set member name is "ECPDC" Replica set root path is "c:\winnt\sysvol\domain" Replica staging directory path is "c:\winnt\sysvol\staging\domain" Replica working directory path is "c:\winnt\ntfrs\jet" Windows error status code is ERROR_INVALID_HANDLE FRS error status code is FrsErrorNotFound Other event log messages may also help determine the problem. Correct the problem and the service will attempt to restart replication automatically at a later time. this is the last FRS event log on PSDC1, I can resolve ecpdc.police.lancco.pa.us from PSDC1, the FRS service is running on ecpdc. The File Replication Service is having trouble enabling replication from ECPDC to PSDC1 for c:\winnt\sysvol\domain using the DNS name ecpdc.police.lancco.pa.us. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name ecpdc.police.lancco.pa.us from this computer. [2] FRS is not running on ecpdc.police.lancco.pa.us. [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established. This is a previous entry from the FRS event log on PSDC1, I don't understand exactly what it means Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller psdc1.police.lancco.pa.us for FRS replica set configuration information. The nTDSConnection object cn=c6e774a3-afd0-48a9-864c-38a8c99b3ac6,cn=ntds settings,cn=ecpdc,cn=servers,cn=eastcocalicopd,cn=sites,cn=configuration,dc= lancco,dc=root is conflicting with cn=psdc1,cn=ntds settings,cn=ecpdc,cn=servers,cn=eastcocalicopd,cn=sites,cn=configuration,dc= lancco,dc=root. Using cn=c6e774a3-afd0-48a9-864c-38a8c99b3ac6,cn=ntds settings,cn=ecpdc,cn=servers,cn=eastcocalicopd,cn=sites,cn=configuration,dc= lancco,dc=root -Original Message- From: Siddharth Sawkar [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 1:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] sysvol not replicating Don't dcpromo down and back up- you will just waste your time. What are the last events in the FRS event logs. If EVERYTHING else is perfect, we can check the registry to see what your seeding server is. If it doesn't have any problems, we can do a non-auth restore which will be the quickest way back up (flip a reg key and bounce the ntfrs service). /Siddharth On Fri, 29 Aug 2003, Simon Geary wrote: > No, that would be the worse possible thing you could do! You should never > manually copy any FRS replicated data over as that could trigger a full > replication of Sysvol and bring your network down to a crawl. If FRS isn't > working, look for the root cause and fix that instead, don't try any > shortcuts. > > The main thing to check is the components that FRS relies on, mainly DNS. > How does the DNS configuration look, can you resolve names to\from that > server? DNS misconfiguration should be the first possible cause you focus on > as it is the most common. > > Other troubleshooting steps: > Check all event logs for associated errors. Any jrnl_wrap or FRS\DNS related > pointers? > dcdiag /v > netdiag /v > repadmin /showreps (should have at least one inbound and outbound partner) > > Do any of these point you towards the problem? > > If you are unable to track down the source of the problem you can always > give up and start again, which is actually not so bad as it sounds. If the > FRS problem can't be resolved, dcpromo back to a member server, double check > DNS settings and then attempt the promotion again. > > Simon Geary > MVP > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Rittenhouse, > Cindy > Sent: 29 August 2003 16:33 > To: [EMAIL PROTECTED] > Subject: [ActiveDir] sysvol not replicating > > > Two days ago a consulting firm upgraded a BDC at a remote location to > Windows 2000. After the upgrade users had all types of trouble connecting. > It seems the sysvol is not r
RE: [ActiveDir] sysvol not replicating
results from repadmin look fine, server is running SP4 C:\Documents and Settings\Administrator.LC_POLICE>repadmin /showreps ecpdc EastCocalicoPD\ECPDC DSA Options : IS_GC objectGuid : 261bdbfc-59ef-4aa8-b087-36fe5e363e9f invocationID: 9f91ded7-35c3-47a9-a30f-312f51da6f3a INBOUND NEIGHBORS == DC=police,DC=lancco,DC=pa,DC=us Default-First-Site-Name\PSDC1 via RPC objectGuid: 01dd65d5-caee-4e09-8cb3-85a7d4642ae9 Last attempt @ 2003-08-29 22:42.22 was successful. CN=Schema,CN=Configuration,DC=LANCCO,DC=ROOT Default-First-Site-Name\PSDC1 via RPC objectGuid: 01dd65d5-caee-4e09-8cb3-85a7d4642ae9 Last attempt @ 2003-08-29 22:42.22 was successful. CN=Configuration,DC=LANCCO,DC=ROOT Default-First-Site-Name\PSDC1 via RPC objectGuid: 01dd65d5-caee-4e09-8cb3-85a7d4642ae9 Last attempt @ 2003-08-29 22:42.22 was successful. DC=LANCCO,DC=ROOT Default-First-Site-Name\PSDC1 via RPC objectGuid: 01dd65d5-caee-4e09-8cb3-85a7d4642ae9 Last attempt @ 2003-08-29 22:42.22 was successful. OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 5:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] sysvol not replicating This is probably a silly question, but you have applied all of the latest SP's and hotfixes correct and this machine isn't sitting at like SP1 or something? There are a ton of fixes for FRS out there. Other than that I would be looking at DNS very carefully and also checking regular replication (repadmin /showreps) to make sure that was working as well. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Friday, August 29, 2003 10:33 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] sysvol not replicating Two days ago a consulting firm upgraded a BDC at a remote location to Windows 2000. After the upgrade users had all types of trouble connecting. It seems the sysvol is not replicating because the Do_Not_Remove_NtFrs_PreInstall_Directory, Policies directory, and Scripts directory do not exist on the remote server in either the sysvol\domain or the sysvol\sysvol directory. The rest of AD seems to be replicating fine. Can I simply copy those directories from one of my DCs to the DC in the remote location? Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] sysvol not replicating
't allowing you to pull the NTFRS data. Also we may have to look at the seeding server (if it is other than PSDC1) and verify that it is replicating with the rest of the domain/forest ok. There was also one post I saw where it mentioned duplicate connections. I.E. Someone may have manually created a connection between ECPDC and PSDC1. If that is the case I think I would remove it for now and see if we can get the topology to correct itself. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Friday, August 29, 2003 10:51 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] sysvol not replicating results from repadmin look fine, server is running SP4 C:\Documents and Settings\Administrator.LC_POLICE>repadmin /showreps ecpdc EastCocalicoPD\ECPDC DSA Options : IS_GC objectGuid : 261bdbfc-59ef-4aa8-b087-36fe5e363e9f invocationID: 9f91ded7-35c3-47a9-a30f-312f51da6f3a INBOUND NEIGHBORS == DC=police,DC=lancco,DC=pa,DC=us Default-First-Site-Name\PSDC1 via RPC objectGuid: 01dd65d5-caee-4e09-8cb3-85a7d4642ae9 Last attempt @ 2003-08-29 22:42.22 was successful. CN=Schema,CN=Configuration,DC=LANCCO,DC=ROOT Default-First-Site-Name\PSDC1 via RPC objectGuid: 01dd65d5-caee-4e09-8cb3-85a7d4642ae9 Last attempt @ 2003-08-29 22:42.22 was successful. CN=Configuration,DC=LANCCO,DC=ROOT Default-First-Site-Name\PSDC1 via RPC objectGuid: 01dd65d5-caee-4e09-8cb3-85a7d4642ae9 Last attempt @ 2003-08-29 22:42.22 was successful. DC=LANCCO,DC=ROOT Default-First-Site-Name\PSDC1 via RPC objectGuid: 01dd65d5-caee-4e09-8cb3-85a7d4642ae9 Last attempt @ 2003-08-29 22:42.22 was successful. OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 5:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] sysvol not replicating This is probably a silly question, but you have applied all of the latest SP's and hotfixes correct and this machine isn't sitting at like SP1 or something? There are a ton of fixes for FRS out there. Other than that I would be looking at DNS very carefully and also checking regular replication (repadmin /showreps) to make sure that was working as well. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Friday, August 29, 2003 10:33 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] sysvol not replicating Two days ago a consulting firm upgraded a BDC at a remote location to Windows 2000. After the upgrade users had all types of trouble connecting. It seems the sysvol is not replicating because the Do_Not_Remove_NtFrs_PreInstall_Directory, Policies directory, and Scripts directory do not exist on the remote server in either the sysvol\domain or the sysvol\sysvol directory. The rest of AD seems to be replicating fine. Can I simply copy those directories from one of my DCs to the DC in the remote location? Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] sysvol not replicating
no, all FSMO holders are in the default_first_site, this DC is a GC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Saturday, August 30, 2003 5:57 PM To: [EMAIL PROTECTED] Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject: RE: [ActiveDir] sysvol not replicating Cindy, Is this DC in the same site as your FSMO holders? BR, Rob Robert Rutherford +44 (0)1305 208232 +44 (0)7970 122362 "Rittenhouse, Cindy" <[EMAIL PROTECTED]To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> ster.pa.us> cc: Sent by:Subject: RE: [ActiveDir] sysvol not replicating [EMAIL PROTECTED] ivedir.org 29/08/2003 16:26 Please respond to ActiveDir results from dcdiag Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: EastCocalicoPD\ECPDC Starting test: Connectivity . ECPDC passed test Connectivity Doing primary tests Testing server: EastCocalicoPD\ECPDC Starting test: Replications . ECPDC passed test Replications Starting test: NCSecDesc . ECPDC passed test NCSecDesc Starting test: NetLogons . ECPDC passed test NetLogons Starting test: Advertising Warning: DsGetDcName returned information for \\psdc1.police.lancco.pa.us, when we were trying to reach ECPDC. Server is not responding or is not considered suitable. . ECPDC failed test Advertising Starting test: KnowsOfRoleHolders . ECPDC passed test KnowsOfRoleHolders Starting test: RidManager . ECPDC passed test RidManager Starting test: MachineAccount . ECPDC passed test MachineAccount Starting test: Services . ECPDC passed test Services Starting test: ObjectsReplicated . ECPDC passed test ObjectsReplicated Starting test: frssysvol Error: No record of File Replication System, SYSVOL started. The Active Directory may be prevented from starting. There are errors after the SYSVOL has been shared. The SYSVOL can prevent the AD from starting. . ECPDC passed test frssysvol Starting test: kccevent . ECPDC passed test kccevent Starting test: systemlog An Error Event occured. EventID: 0x041B Time Generated: 08/29/2003 10:50:20 (Event String could not be retrieved) . ECPDC failed test systemlog Running enterprise tests on : LANCCO.ROOT Starting test: Intersite . LANCCO.ROOT passed test Intersite Starting test: FsmoCheck . LANCCO.ROOT passed test FsmoCheck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 10:39 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] sysvol not replicating whooah... easy. Can you do a dcdiag and post the results please. Robert Rutherford +44 (0)1305 208232 +44 (0)7970 122362 "Rittenhouse, Cindy" <[EMAIL PROTECTED]To: [EMAIL PROTECTED] ster.pa.us> cc: Sent by:Subject: [ActiveDir] sysvol not replicating [EMAIL PROTECTED] ivedir.org 29/08/2003 15:32 Please respond to ActiveDir Two days ago a consulting firm upgraded a BDC at a remote location to Windows 2000. After the upgrade users had all types of trouble connecting. It seems the sysvol is not replicating because the Do_Not_Remove_NtFrs_PreInstall_Directory, Policies directory, and Scripts directory do not exist on the remote server in either the sysvol\domain or the sysvol\sysvol directory. The rest of AD seems to be replicating fine. Can I simply copy those directories from one of my DCs to the DC in the remote location? Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List
RE: [ActiveDir] sysvol not replicating
I agree, it certainly sounds like it could be DNS related, but it appears
that all SRV records are present. ECPDC registered itself in
_msdcs/dc/_sites/eastcocalicopd/tcp/kerberos (port88) and ldap(port 389), in
_msdcs/dc/_tcp/_kerberos and _ldap, in _sites/eastcocalicopd/_tcp/_kerberos
and _ldap, in _tcp/_kerberos, _kpasswd, and _ldap, and in _udp/_kerberos and
_kpasswd. It registered and A record as ECPDC and an A record (same as
parent folder). We do not use AD integrated DNS. All servers involved are
pointed to the DNS server that is authoratative for the zone. I deleted the
A record, did an ipconfig /registerdns, and the server registers without
problem. There is a ptr record for the server in the reverse lookup zone. I
can map from PSDC1 to any point on ECPDC and vice versa. I can do an
NSLOOKUP from either server. If the problem is DNS, I just don't see it.
I have not configured any static port mappings.
The only noteworthy item in the DNS event log is : The DNS server has
encountered numerous run-time events. These are usually caused by the
reception of bad or unexpected packets, or from problems with or excessive
replication traffic. The data is the number of suppressed events
encountered in the last 15 minute interval.
-Original Message-
From: Dennis Schut [mailto:[EMAIL PROTECTED]
Sent: Sunday, August 31, 2003 3:15 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] sysvol not replicating
Can happen Rick, the same hear... that's why checking and rechecking of
documentation is always fun
Diane, I have to agree with Rick, that the problem can be related to
registration of DNS SRV records, it is advisable to check if all the SRV
and other records are all registered correctly in the _MSDCS zone or the
appropriate domain DNS zone.
What kind of records are you registering in DNS, domain & AtSite related
records, or only the AtSite records ("DnsAvoidRegisterRecords" reg key)?
Are you using a static port mapping for RPC based AD replication?
Regards,
Dennis Schut MSCA, MCSAS, MCSA2K3, MCSE, MCSES, MCSE2K3
Technical Consultant
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, August 31, 2003 00:40
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] sysvol not replicating
My apologies to Dennis Schut (Read NOT *Shutts*). I have a co-worker
Deb
Shutts, and apparently my fingers got ahead of my brain. But, that
happens
a bunch - regardless if it's here, a NG, or just in a document. :-)
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Saturday, August 30, 2003 5:06 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] sysvol not replicating
Diane,
I have to agree that there is something going on here. Dennis Shutts
tried
to get the ADDiag scripts (if you haven't seen it - but I know you, you
likely have) to her to run on her system. It's the same tools that PSS
will
have you run on your system to gather all of the information necessary
to
diagnose this type of issue.
I suspect that there is a DNS problem as the SYSVOL share and the
NETLOGON
share will not be published until all conditions are correct. And, the
primary indicator is that failure in the NETDIAG log that you pointed
out.
Cindy, leave the FRS issues alone for a bit until the DNS problems are
resolved on all servers. It might be only one, or might be all of them.
Check your DNS and SYSTEM event logs.
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Diane Ayers
Sent: Saturday, August 30, 2003 11:49 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] sysvol not replicating
Do you have all the necessary SRV records for this server in DNS? Your
Dcdiag run had this error:
test NetLogons
Starting test: Advertising
Warning: DsGetDcName returned information for
\\psdc1.police.lancco.pa.us, when we were trying to reach ECPDC.
Server is not responding or is not considered suitable.
. ECPDC failed
DsGetDcName is failing. I'd look at the SRV records in DNS to see if
that
is 100%. Another area to check is the time on the DC to see if it's
sync
with it's partners.
Diane
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse,
Cindy
Sent: Friday, August 29, 2003 7:51 PM
To: '[EMAIL PROTECTED]'
results from repadmin look fine, server is running SP4
C:\Documents and Settings\Administrator.LC_POLICE>repadmin /showreps
ecpdc
EastCocalicoPD\ECPDC DSA Options : IS_GC objectGuid :
261bdbfc-59ef-4aa8-b087-36fe5e363e9f
invocat
RE: [ActiveDir] sysvol not replicating
Dennis,
I wasn't able to get everything to run. Here are the results from QA_Check.
I couldn't get Checkservers to run.
Change .txt to .zip
-Original Message-
From: Dennis Schut [mailto:[EMAIL PROTECTED]
Sent: Friday, August 29, 2003 14:38
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] sysvol not replicating
Okay Cindy, did not work, off course...
If you want I can send the files directly to you... just mail me on
[EMAIL PROTECTED]
Or download the files from the internet..
Dennis
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dennis Schut
Sent: Friday, August 29, 2003 20:33
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] sysvol not replicating
Cindy,
Try to run these scripts on the server with the problems,
You have to change some parameters in the QA_Check.cmd and
CheckServer.cmd regarding subnet, IP address and servername, if finished
then run the startQA.cmd. This script will check everything regarding
your DC and it will create several .txt files. If you want, you can send
the files to me, then I can inspect them
These scripts are coming from MS and you can find them in the Branch
Office Deployment Guide.
Rename the .txt extension to .zip
Regards,
Dennis Schut
Technical Consultant
MCP, MCSE, MCSA2K & 2K3, MCSAS & MCSES, MCSE2K & MCSE2K3
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse,
Cindy
Sent: Friday, August 29, 2003 16:33
To: [EMAIL PROTECTED]
Subject: [ActiveDir] sysvol not replicating
Two days ago a consulting firm upgraded a BDC at a remote location to
Windows 2000. After the upgrade users had all types of trouble
connecting.
It seems the sysvol is not replicating because the
Do_Not_Remove_NtFrs_PreInstall_Directory, Policies directory, and
Scripts
directory do not exist on the remote server in either the sysvol\domain
or
the sysvol\sysvol directory. The rest of AD seems to be replicating
fine.
Can I simply copy those directories from one of my DCs to the DC in the
remote location?
Thanks
Cynthia Rittenhouse MCSE,CCNA
LAN Administrator
County of Lancaster
Lancaster, PA 17602
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
PK����El"/-kbC�� �����ADResults/dcdiag.txtÍkoâ:ö{¥þÜ]èc:[EMAIL PROTECTED]
©¹¾¼¸¼1KµàbF¸àÓhf²´{yAùñ¤,4øÜHq?¤ZZò)ì%SäÁù^s$9æíXÏ#&
×ø&I¯Ç2¹#¾÷7ý÷&[EMAIL PROTECTED]:[EMAIL
PROTECTED]'CðPü«O`¨rÖ�¤îÆË5Òí÷7Ä«ñp8ù
¿ò!BçDHÍ;Uï1Ó³jÂÝT¯Ä="#¹°Ùæ]WE^af¸;%ß©p§K|ýÄ èAL
õM-¬ñÑäåeø^§é"ªé©Òf¦¯ÈjÎY1øSPóÔ:/âÑp^.×¹t®s
ÕÒ�N¥Enn
ZDtÆ
ÖÒ2
É
ê[PèÍP¸0Jü.m
~p*D®ºu:ÞÛ
BÒµM7;;ùÊÖP¤µQ|Y7xÐÍÎÃÁ¥5ù7ß
¢ÉkȳDN¡£A¤PØÊseæÔ-9þ§çà'L%Þ
Â[(:º%ÅÌfs¢e¦B
D[µ
>ÄÊ¢.)Oªñp,YbÀ)eG2TÒå«+=Ç2a¿É$*Uhøà]âê ®ÿ«Õ`âØÉh,®Èø^ä
/}Ó,1G®´i!
L<
?ôyEÕJãËåâ¯"
Úû(XFþbyôWãYÄ
PWù=(
©ÇëüRÁeK¹µìÏ
êLÆ£oTÐÙV¥a³HW2~öÉHÊdÐyØBù¹»»¾Å~Ñn}¼þxÓ¾ï\oÑHu¶w5
ÄEJHúX¹ÂÛ×_8Tÿ7óYAQÑYî³d
C=û½$nð³Â¢tm'
HyS
°?
î"Ð}õáH±%>ä9©Û»âoÐ{¹`=°V&ÌlÁh�^ÀÃO;ܦQ¸ËÀ vÜ{ ¥X[³þö½?FÃþ³÷p¿s×FÓ8lÜ~bqãÒûÆ´uÿ±q}³[v}wÍ>ÅÍ?hºéò¦Y 2ßh>\߶o:×·/»F»í·½/F«åµn
½ïùxcàßÁäç¸ê0¥X]uD£®zòaïtË9)³;#*iS
·d´Ó
ÂäOaf:rìØÀ<[EMAIL
PROTECTED],¨ªá~ÐïpZÑƯ#ðã4<Ê~<òúC¯7�®®;8»
¨×ï¯ÇxP°<¦ìàaÒ >
ï¬jÐ
>ü33Å·§VæÍ©,Ù×WÓÃÑA
DÜÌïÐF#×MO?óoýæKìjøûç¼/ÃrÓÞV_E\Í
I#P)© }ð¬ Jáê´Ne
s×âÿ
þ9ìâ°¨z¯%tM¦
öÄZÆp°tØ L
OðÏP
8¼Æ¹!3ç9oÊ
8ç�VãC
päÏÙYä¿gOçèÜ:2ÄlÄýÆ¡°õç}«Õº¾yô·`Çò'g�tÀ}úÐjè�(<[EMAIL
PROTECTED])vîh [EMAIL PROTECTED]@HfXí½C¤QÀ?àpç"ÜA8·4
ÀãÿD°Øék®uNNз"ÇEDj®Y§Pâá`Æ¿#˽Æ,dÖ¹7u`¹vW5Q¬:[EMAIL PROTECTED]:a'h¾?á
®K-BÙý$,U}»;C
õf
k%MÀWf
9UGmwÖ°ZmªÔ®W8¶a&ÔJ×WÏÛ_¥Ü
!-T^"°WmJM½ÎåL aö-YpiðîÒ\»¢s°©åJç
½iUC)«r×úQU¶eµ_ãLØ:hשâ:ï
Ñ sd}n¯¨ÿxøò®$RïÐľԫômW]Üë>àÜ»e-C.áÖ
AÂJÕ$p1¼Fo0¶w[};#Âe(¸¼Gý>*xËS5³VÌþ¨²úÖáÉ#¨T¼¼¸á
7/[EMAIL PROTECTED]
OAoïçå¡×6O7ÓýtÚ#ÅbÈ$°à¯äòµd½/UN Y^8
%÷ÿPK
�Al"/���ADResults/dcdiagerr.txtPK����Nl"/,k%������ADResults/ds_showconn.txt
ÑjÂ0¯|<ikmWðb¤n
F[lw3¼í©fÔ¤$qâÛ/g9°ðçä;ÿùOê>®ÖIH¹{÷ÊΦ¼X
u\·b®ò¹¯ÔÒEá;z¹?Mó¯^
ÎKT²l²Ùt²æUη}$îãT0$"[EMAIL PROTECTED]
[EMAIL PROTECTED]
ÑÞÐÈ
ídù6Fl`ô+{ÈÜü»Ü
æÿ ¹m<jd¡ÚV£'
ç(~j]FBÆ"iIÞ±· Â�nô`aPK����Nl"/?EQk��(�����ADResults/ds_showreps.txtÝÁjã0ï¿Ã<@U,[EMAIL
PROTECTED]
E
qz+,ci´ë%C-w_¥í¡ìöÚýâGÌ
ó
ü[¼
3
RE: [ActiveDir] sysvol not replicating
Title: RE: [ActiveDir] sysvol not replicating I read the article, but there is currently 1.87 GB of free space on volume C, the pagefile is located on volume D. I just got Sonar installed and running. Maybe it will shed a brighter light on the problem. I've been up to my eyeballs in FRS documentation, but I haven't come up with a solution. I found the previous reference to null account in the ntfrsapi.log, but it was successfully resolved to ECPDC. -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED]Sent: Tuesday, September 02, 2003 01:57To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] sysvol not replicating Cindy, Be sure that you check the free space on the System Volume of the system that is experiencing the problem. I was able to duplicate this exact problem in my lab tonight and just resolved the problem - at least for my cause / effect. In essence, the USN Journal size is 512MB - and if there is not sufficient space, NTFRS will stop with the errors that we have been seeing - in effect the 13552 and 13555 errors in the NTFRS log. What I had to do to resolve the problem was to free up sufficient space to allow the USN Journal to have room to work. I then stopped and restarted the FRS service, and got four clean informationals - the final saying that it had established communication with my other DC and had successfully published the SYSVOL and it is now actively replicating with it. Given standard practice of what many of us did for NT 4.0 servers and the %SYSTEMROOT% drive, it's not hard to imagine that after putting Windows 2000 and a healthy pagefile, that the drive is low on space - causing FRS to starve and fail. I'd suggest taking a hard look at the system volume, and clean it up per the following article: http://support.microsoft.com/default.aspx?scid=kb;en-us;819268 Good luck! Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, CindySent: Monday, September 01, 2003 7:13 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] sysvol not replicating Yes, the GUID._MSDCS.domain name is present in the Lancco.root zone. The "Replica Set Parent" is PSDC1.police.lancco.pa.us. Is there a way to check for the SID mismatch? I am hoping to download the ADDiag scripts when I get back in the office tomorrow and my crystal ball tells me there is going to be a road trip in my very near future (like Wednesday). -Original Message-From: Dennis Schut [mailto:[EMAIL PROTECTED]Sent: Monday, September 01, 2003 3:37 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] sysvol not replicating Okay, this sounds okay, regarding TCP, UDP LDAP, Kerberos and Kpasswd records. is there also a GUID._MSDCS.Domain Name present? Can you check if the following Reg key is present HKLM\SYSTEM\CurrentControlSet\Services\NTFRS\"Replica Set Parent", and check if the correct data is present in this key? This is because during the promotion of replica DCs to an Active Directory domain, a registry key (Replica Set Parent), under the NTFRS section of the registry is populated with the name of the DC that is used to source the Active Directory. FRS uses this key to source the SYSVOL share. Initial SYSVOL replication occurs following the reboot after promotion.Because of a faulty compare of the Microsoft Windows NT 4.0-style domain name that is returned by DsCrackNames and the server principle name that is returned by RpcMgmtInqServerPrincName, FRS fails to join the volatile connection. This results in a delay to share out sysvols after the promotion. The reason that the new replica DC is not joining with the existing DC is because of an SID mismatch. The SID from the RPC call from replica to source DC is known, but the SID that the source DC gets by calling DsCrackName is or NULL. Regards, Dennis Schut MSCA, MCSAS, MCSA2K3, MCSE, MCSES, MCSE2K3Technical Consultant From: [EMAIL PROTECTED] on behalf of Rittenhouse, CindySent: Mon 01-Sep-03 00:57To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] sysvol not replicating I agree, it certainly sounds like it could be DNS related, but it appearsthat all SRV records are present. ECPDC registered itself in_msdcs/dc/_sites/eastcocalicopd/tcp/kerberos (port88) and ldap(port 389), in_msdcs/dc/_tcp/_kerberos and _ldap, in _sites/eastcocalicopd/_tcp/_kerberosand _ldap, in _tcp/_kerberos, _kpasswd, and _ldap, and in _udp/_kerberos and_kpasswd. It registered and A record as ECPDC and an A record (same asparent folder). We do not use AD integrated DNS.
RE: [ActiveDir] sysvol not replicating
I'm sorry, but I'm having trouble locating FRSDiag. -Original Message- From: Siddharth Sawkar [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 02, 2003 00:43 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] sysvol not replicating Adding to this nice proactive information, the first thing PSS will want from you during an FRS case is a complete output of FRSDiag run against all the DC's in your environment (usually). Leave the defaults, select all the servers and hit Go! Send all your cab files and sit back :) /Siddharth On Mon, 1 Sep 2003, Rick Kingslan wrote: > And, just because the cool info keeps coming: > > http://support.microsoft.com/default.aspx?scid=kb;en-us;312862 > http://support.microsoft.com/default.aspx?scid=kb;EN-US;296183 > > Also, for those following along - look to the NTFRS Management Pack for a > little-known monitoring interface for resolving issues with FRS and Dfs > called 'Sonar'. Can be gotten here: > > http://www.microsoft.com/windows2000/techinfo/reskit/tools/new/sonar-o.asp > > Enjoy! > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > _____ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy > Sent: Monday, September 01, 2003 7:13 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] sysvol not replicating > > > Yes, the GUID._MSDCS.domain name is present in the Lancco.root zone. The > "Replica Set Parent" is PSDC1.police.lancco.pa.us. Is there a way to check > for the SID mismatch? I am hoping to download the ADDiag scripts when I get > back in the office tomorrow and my crystal ball tells me there is going to > be a road trip in my very near future (like Wednesday). > > -Original Message- > From: Dennis Schut [mailto:[EMAIL PROTECTED] > Sent: Monday, September 01, 2003 3:37 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] sysvol not replicating > > > Okay, this sounds okay, regarding TCP, UDP LDAP, Kerberos and Kpasswd > records. is there also a GUID._MSDCS.Domain Name present? > > Can you check if the following Reg key is present > HKLM\SYSTEM\CurrentControlSet\Services\NTFRS\"Replica Set Parent", and check > if the correct data is present in this key? > > This is because during the promotion of replica DCs to an Active Directory > domain, a registry key (Replica Set Parent), under the NTFRS section of the > registry is populated with the name of the DC that is used to source the > Active Directory. FRS uses this key to source the SYSVOL share. Initial > SYSVOL replication occurs following the reboot after promotion. > > Because of a faulty compare of the Microsoft Windows NT 4.0-style domain > name that is returned by DsCrackNames and the server principle name that is > returned by RpcMgmtInqServerPrincName, FRS fails to join the volatile > connection. This results in a delay to share out sysvols after the > promotion. > > The reason that the new replica DC is not joining with the existing DC is > because of an SID mismatch. The SID from the RPC call from replica to source > DC is known, but the SID that the source DC gets by calling DsCrackName is > or NULL. > > Regards, > > Dennis Schut MSCA, MCSAS, MCSA2K3, MCSE, MCSES, MCSE2K3 > Technical Consultant > _ > > From: [EMAIL PROTECTED] on behalf of Rittenhouse, Cindy > Sent: Mon 01-Sep-03 00:57 > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] sysvol not replicating > > > > I agree, it certainly sounds like it could be DNS related, but it appears > that all SRV records are present. ECPDC registered itself in > _msdcs/dc/_sites/eastcocalicopd/tcp/kerberos (port88) and ldap(port 389), in > _msdcs/dc/_tcp/_kerberos and _ldap, in _sites/eastcocalicopd/_tcp/_kerberos > and _ldap, in _tcp/_kerberos, _kpasswd, and _ldap, and in _udp/_kerberos and > _kpasswd. It registered and A record as ECPDC and an A record (same as > parent folder). We do not use AD integrated DNS. All servers involved are > pointed to the DNS server that is authoratative for the zone. I deleted the > A record, did an ipconfig /registerdns, and the server registers without > problem. There is a ptr record for the server in the reverse lookup zone. I > can map from PSDC1 to any point on ECPDC and vice versa. I can do an > NSLOOKUP from either server. If the problem is DNS, I just don't see it. > I have not configured any static port mappings. > The only noteworthy item in the DNS event log is : The DNS server has > encountered numerous run-time events. These are usually caused by the > reception of bad or unexpected packets, or from proble
RE: [ActiveDir] sysvol not replicating
This is the smallest debug file. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Monday, September 01, 2003 13:32 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] sysvol not replicating Yep, you have good AD replication at PSDC1 as well. This would tell me that the underpinnings should be ok and the problem is most likely strictly in FRS which sucks, I hate troubleshooting FRS. :op The duplicate connections I saw the error for would be visible in sites and services and you should see one connection that doesn't have a GUID name, it has a name of a domain controller. Err back to FRS, are there any errors in the FRS log besides the, SYSVOL is not shared out right now? If not we will have to start digging into the actual FRS debug logs located in %winnt%\debug - usually c:\winnt\debug. You will find logs that start with NTFRS and start scanning through looking for anything that could indicate an error. Possibly if the most recent one (should be named ntfrs_005.log) isn't too long you can post it so we can take a peek. Also Deji's post may have something to it in terms of the upgrade and something happening there. I am not a fan at all of in place upgrades, we did it once to the PDC for each of our domains to get the users and groups and then we quickly promoed a pure W2K machine and moved the fsmo's and wiped out the upgraded machine. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Sunday, August 31, 2003 6:04 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] sysvol not replicating results from, repadmin on PSDC1 seems to indicate successful replication (lancco.root is an empty root domain for the forest). ECPDC is not listed as an outbound neighbor, I'm not sure what that implies. I did not see any duplicate connections. C:\Documents and Settings\Administrator.LC_POLICE>repadmin /showr Default-First-Site-Name\PSDC1 DSA Options : IS_GC objectGuid : 01dd65d5-caee-4e09-8cb3-85a7d4642ae9 invocationID: 5d17cfd7-0d9d-4f10-bf89-b5fbba2dc6d2 INBOUND NEIGHBORS == DC=police,DC=lancco,DC=pa,DC=us EastCocalicoPD\ECPDC via RPC objectGuid: 261bdbfc-59ef-4aa8-b087-36fe5e363e9f Last attempt @ 2003-08-31 17:40.47 was successful. Default-First-Site-Name\PSDC2 via RPC objectGuid: a584f646-c7ea-48de-a08d-dfc938ba959a Last attempt @ 2003-08-31 17:47.09 was successful. CN=Schema,CN=Configuration,DC=LANCCO,DC=ROOT Default-First-Site-Name\LANCCODC3 via RPC objectGuid: 9e4c1826-5051-4c89-8016-ebc9f36f0156 Last attempt @ 2003-08-31 17:12.34 was successful. Default-First-Site-Name\PSDC2 via RPC objectGuid: a584f646-c7ea-48de-a08d-dfc938ba959a Last attempt @ 2003-08-31 17:12.34 was successful. Default-First-Site-Name\LANCCODC2 via RPC objectGuid: 0472b4a6-ae4b-44a9-afae-805e24ce729e Last attempt @ 2003-08-31 17:12.35 was successful. EastCocalicoPD\ECPDC via RPC objectGuid: 261bdbfc-59ef-4aa8-b087-36fe5e363e9f Last attempt @ 2003-08-31 17:40.47 was successful. CN=Configuration,DC=LANCCO,DC=ROOT Default-First-Site-Name\LANCCODC2 via RPC objectGuid: 0472b4a6-ae4b-44a9-afae-805e24ce729e Last attempt @ 2003-08-31 17:35.43 was successful. EastCocalicoPD\ECPDC via RPC objectGuid: 261bdbfc-59ef-4aa8-b087-36fe5e363e9f Last attempt @ 2003-08-31 17:40.47 was successful. Default-First-Site-Name\PSDC2 via RPC objectGuid: a584f646-c7ea-48de-a08d-dfc938ba959a Last attempt @ 2003-08-31 17:44.59 was successful. Default-First-Site-Name\LANCCODC3 via RPC objectGuid: 9e4c1826-5051-4c89-8016-ebc9f36f0156 Last attempt @ 2003-08-31 17:45.43 was successful. DC=LANCCO,DC=ROOT Default-First-Site-Name\LANCCODC3 via RPC objectGuid: 9e4c1826-5051-4c89-8016-ebc9f36f0156 Last attempt @ 2003-08-31 17:12.35 was successful. EastCocalicoPD\ECPDC via RPC objectGuid: 261bdbfc-59ef-4aa8-b087-36fe5e363e9f Last attempt @ 2003-08-31 17:40.47 was successful. Default-First-Site-Name\LANCCODC2 via RPC objectGuid: 0472b4a6-ae4b-44a9-afae-805e24ce729e Last attempt @ 2003-08-31 17:46.04 was successful. OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS DC=police,DC=lancco,DC=pa,DC=us Default-First-Site-Name\LANCCODC1 via RPC objectGuid: 3f95d0a2-8baf-48d5-83c0-c14b2e5ab02a Default-First-Site-Name\LANCCODC3 via RPC objectGuid: 9e4c1826-5051-4c89-8016-ebc9f36f0156 Default-First-Site-Name\PSDC2 via RPC objectGuid: a584f646-c7ea-48de-a08d-dfc938ba959a CN=Schema,CN=Configuration,DC=LANCCO,DC=ROOT Default-First-Site-Name\LANCCODC2 via RPC objectGuid: 0472b4a6-ae4b-44a9-afae-805e24ce729e Default-First-Site-Name\LANCCODC1 via RPC objectGuid: 3f95d0a2-8baf-48d5-83c0-c1
RE: [ActiveDir] sysvol not replicating
Title: Message Joe, I got terminal services installed, also the support tools and the resource kit. As for the travel, Orlando in Nov. for an Exchange conference will be nice, if I survive FRS. I'm beginning to think a demotion and reformat my be the final outcome. [Rittenhouse, Cindy] -Original Message-From: Joe [mailto:[EMAIL PROTECTED]Sent: Tuesday, September 02, 2003 07:20To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] sysvol not replicating Rick, LOL. Always good to walk through the basics before running to the advanced stuff. Plus I always like to troubleshoot EVERYTHING else before FRS because I HATE troubleshooting FRS so I was right there with you Rick. All I wanted was to know that normal AD replicationw as working both ways, if that is the case most if not all of the of the underpinning issues could be ruled out. On the TS thing, I swear Alex A. (TS MVP) once published something on how to remotely install Admin TS mode on a W2K machine. If necessary we can grab him and get the details. That would save having to get someone involved. Cindy, before I did travel (unless it was someplace nice like Hawaii or London or Aruba or something) I would take this upgraded machine, demote it if it would let me, have someone wipe its partitions and start over with a fresh load of W2K versus using an upgrade. joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Monday, September 01, 2003 10:29 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] sysvol not replicating Cindy, Not that Dennis is not making sense (he is) but here is where the information is documented that he is relaying to you - and it's good to know regardless. http://support.microsoft.com/default.aspx?kbid=296951 (I had to fid it because inquiring minds need to know. I needed to understand to the next level what was going on here. Now I've been reminded.) Now that much of the DNS troubleshooting is out of the way, it's time to move to FRS. Kudos to those who started there. Me, I had to get the 'Server not found' thing out of the way. You've gotten some good information already on the FRS related issues, but kicking the log into verbose debug mode is going to help tremendously - as it's going to eliminate this possibility, which by all accounts should have been fixed via SP3. (Props to Joe, Deji, Siddharth) And, as to the travel - can someone not install TS on that server for you (if it's not already)? I'd think the prudent move would be to exhaust all possibilities before traveling there. Much of what might need to be done can be done from your desk - not the console. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, CindySent: Monday, September 01, 2003 7:13 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] sysvol not replicating Yes, the GUID._MSDCS.domain name is present in the Lancco.root zone. The "Replica Set Parent" is PSDC1.police.lancco.pa.us. Is there a way to check for the SID mismatch? I am hoping to download the ADDiag scripts when I get back in the office tomorrow and my crystal ball tells me there is going to be a road trip in my very near future (like Wednesday). -Original Message-From: Dennis Schut [mailto:[EMAIL PROTECTED]Sent: Monday, September 01, 2003 3:37 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] sysvol not replicating Okay, this sounds okay, regarding TCP, UDP LDAP, Kerberos and Kpasswd records. is there also a GUID._MSDCS.Domain Name present? Can you check if the following Reg key is present HKLM\SYSTEM\CurrentControlSet\Services\NTFRS\"Replica Set Parent", and check if the correct data is present in this key? This is because during the promotion of replica DCs to an Active Directory domain, a registry key (Replica Set Parent), under the NTFRS section of the registry is populated with the name of the DC that is used to source the Active Directory. FRS uses this key to source the SYSVOL share. Initial SYSVOL replication occurs following the reboot after promotion.Because of a faulty compare of the Microsoft Windows NT 4.0-style domain name that is returned by DsCrackNames and the server principle name that is returned by RpcMgmtInqServerPrincName, FRS fails to join the volatile connection. This results
[ActiveDir] DNS design in multidomain forest
My question is a little basic for this site, but I am hoping all your expertise will help me design the most efficient active directory structure. I currently have 2 NT domains, one for county government, the other for county police agencies. We plan to create a single forest with 3 trees; an empty root and the 2 existing NT domains. Certain county agencies need access to police servers, and the police need access to certain county servers. All users require intranet access, but only select workstations and users are to have internet access. My quandary is the placement of DNS servers. Do I create one primary DNS server in the null root and secondary DNS servers in the other domains, or do I create a DNS server for each domain and make it active directory integrated? If DNS is active directory integrated, how do users in domain 2 locate resources in domains 3. How will I differentiate users that need internet access from those who do not. We still have hundreds of NT and 98 clients? I'd like to examine all possible scenarios and the pros and cons of each. After reading all your entries over the past several months, I know that if I don't get the DNS setup correct, my active directory will be a disaster. Currently, workstations from each domain that need internet get a DNS server that forwards requests hard coded in the TCP/IP configuration. All others get a local DNS server that does not forward requests. Cynthia Rittenhouse, MCSE, CCNA LAN Administrator County of Lancaster List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] VPN W2K Cannot See Other Computers Except the Server
Title: Message I've been looking for this setting on my W2K RRAS server and haven't been able to locate it. Can anybody tell me where this setting is in W2K. -Original Message-From: Steve Thomas [mailto:[EMAIL PROTECTED]]Sent: Thursday, February 14, 2002 12:32To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] VPN W2K Cannot See Other Computers Except the Server I've not set up a VPN on w2k, but in NT there's a setting for whether or not remote users can access the entire network, or just the local machine. ( http://www.apexvoice.com/~sthomas/screenshot.gif ) ---Steve ThomasNetwork AdministratorAPEX Voice Communications, Inc.Voice: 818-379-8400Fax: 818-379-8410ICQ: 47046219eMail/MSN: [EMAIL PROTECTED]Yahoo: tms1791 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dipowarga WirawanSent: Thursday, February 14, 2002 8:39 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] VPN W2K Cannot See Other Computers Except the Server I have tried from many different angles that you advice...but no go..L At nslookup, it only list one computer, which is the SERVER1. Then, the next line say: can't list domain all. Non existent domain. The lmhost is enabled. (Under Advanced TCP/IP setting, WINS tab, Enable LMHost lookup is selected. Also Enable NetBIOS over TCP/IP is selected) Any other idea? Thanks, Dipo -Original Message-From: Joe Sargent [mailto:[EMAIL PROTECTED]]Sent: Wednesday, February 13, 2002 6:31 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] VPN W2K Cannot See Other Computers Except the Server Your problem here appears to be DNS. You might want to change the DNS server on the VPN client to the IP of your internal DNS server to see if that fixes things. This will not help you out to get to the Internet, but you can at least isolate the problem.. You could also setup a WINS server and get to machines that way, but when it comes to domain validation for access you will have to have the DNS access so your machine will register. If the machine doesn't register with the W2K DNS server then it that can cause authorization issues. You might also try the following at a command prompt once you get the DNS entries entered. ipconfig /flushdns ipconfig /registerdns Also do NSLOOKUP and see what DNS server your machine is requesting from. I have similar issues with VPN software. I have since switched to the CISCO VPN3005 using the unified VPN client. I have the vpn clients authenticated via a Radius server and all the network info, DNS, WINS, etc is passed to the machine and the client handles the routing and DNS issues. So far my users are happy! HTH Joe Sargent -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dipowarga WirawanSent: Wednesday, February 13, 2002 7:23 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] VPN W2K Cannot See Other Computers Except the Server Domain -Original Message-From: Morgan, Joshua [mailto:[EMAIL PROTECTED]]Sent: Wednesday, February 13, 2002 3:30 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] VPN W2K Cannot See Other Computers Except the Server Is your VPN set to log into the server or Domain Joshua Morgan PH: (864) 250-1350 Ext 133 Fax: (413) 581-4936 [EMAIL PROTECTED] -Original Message-From: Dipowarga Wirawan [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 13, 2002 4:04 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] VPN W2K Cannot See Other Computers Except the Server I could connect to the server, just cannot see other computers. I just try to connect other computer with static ip, it works. But I don't know how to connect others with dynamic IP, or by computer name, for example \\WS01\ -Original Message-From: Al Garrett [mailto:[EMAIL PROTECTED]]Sent: Wednesday, February 13, 2002 2:26 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] VPN W2K Cannot See Other Computers Except the Server EDUCATE YOUR CLIENT'S VPN USERS HOW TO RESOLVE TWO COMMON VPN PROBLEMS TechRepublic's VPN troubleshooter shares two common problems users have and how to solve them. If you're charged with training your clients' remote users to use a VPN, learn how you can save yourself and the users some headaches. http://clickthru.online.com/Click?q=eb-HlpoQkD1zhKO_rsdo0CKYFjK9-lR -Original
[ActiveDir] setting up DNS
I am trying to setup a Windows 2000 DNS server to prepare for active directory. We are still an NT4.0 domain. I followed the guidelines in Q300202 How to Configure DNS for Internet Access. I created a forward lookup zone for what will be our active directory domain (an internal domain name). It is the first DNS server, standard primary, I removed the "." under forward lookup zone and the root hints are there. The server is pointing to itself for DNS. I don't understand why it won't resolve internet names. I can ping outside the network with no problem, and if I enter the IP address of the local Novell DNS server, name resolution is fine. Any ideas? Is there a group specifically devoted to DNS issues? This is not a good start. Thanks Cynthia Rittenhouse, MCSE, CCNA LAN Administrator County of Lancaster List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] setting up DNS
Enable Forwarders is not checked. -Original Message- From: Hutchins, Mike [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 16:26 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS On the server do a right click, go to properties. See on the forwarders tab if forwarders are enabled, but forwarding server list is blank. -Original Message----- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 2:22 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] setting up DNS I am trying to setup a Windows 2000 DNS server to prepare for active directory. We are still an NT4.0 domain. I followed the guidelines in Q300202 How to Configure DNS for Internet Access. I created a forward lookup zone for what will be our active directory domain (an internal domain name). It is the first DNS server, standard primary, I removed the "." under forward lookup zone and the root hints are there. The server is pointing to itself for DNS. I don't understand why it won't resolve internet names. I can ping outside the network with no problem, and if I enter the IP address of the local Novell DNS server, name resolution is fine. Any ideas? Is there a group specifically devoted to DNS issues? This is not a good start. Thanks Cynthia Rittenhouse, MCSE, CCNA LAN Administrator County of Lancaster List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] setting up DNS
We don't want to use our ISP's DNS servers because they are unreliable and we have had problems with them in the past. Why can't my 2000 DNS server query the root servers directly? -Original Message- From: DeGrands, Charles [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 16:54 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS You need to enable that and then add your ISP's DNS servers to the field. -----Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 1:37 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS Enable Forwarders is not checked. -Original Message- From: Hutchins, Mike [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 16:26 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS On the server do a right click, go to properties. See on the forwarders tab if forwarders are enabled, but forwarding server list is blank. -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 2:22 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] setting up DNS I am trying to setup a Windows 2000 DNS server to prepare for active directory. We are still an NT4.0 domain. I followed the guidelines in Q300202 How to Configure DNS for Internet Access. I created a forward lookup zone for what will be our active directory domain (an internal domain name). It is the first DNS server, standard primary, I removed the "." under forward lookup zone and the root hints are there. The server is pointing to itself for DNS. I don't understand why it won't resolve internet names. I can ping outside the network with no problem, and if I enter the IP address of the local Novell DNS server, name resolution is fine. Any ideas? Is there a group specifically devoted to DNS issues? This is not a good start. Thanks Cynthia Rittenhouse, MCSE, CCNA LAN Administrator County of Lancaster List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] setting up DNS
Yes, SP2 -Original Message- From: Jason Benway [mailto:[EMAIL PROTECTED]] Sent: Monday, April 01, 2002 09:14 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS We do not use forwarders here, we use the root servers. It works great. Are you running SP2? jb -Original Message----- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 5:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS We don't want to use our ISP's DNS servers because they are unreliable and we have had problems with them in the past. Why can't my 2000 DNS server query the root servers directly? -Original Message- From: DeGrands, Charles [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 16:54 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS You need to enable that and then add your ISP's DNS servers to the field. -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 1:37 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS Enable Forwarders is not checked. -Original Message- From: Hutchins, Mike [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 16:26 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS On the server do a right click, go to properties. See on the forwarders tab if forwarders are enabled, but forwarding server list is blank. -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 2:22 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] setting up DNS I am trying to setup a Windows 2000 DNS server to prepare for active directory. We are still an NT4.0 domain. I followed the guidelines in Q300202 How to Configure DNS for Internet Access. I created a forward lookup zone for what will be our active directory domain (an internal domain name). It is the first DNS server, standard primary, I removed the "." under forward lookup zone and the root hints are there. The server is pointing to itself for DNS. I don't understand why it won't resolve internet names. I can ping outside the network with no problem, and if I enter the IP address of the local Novell DNS server, name resolution is fine. Any ideas? Is there a group specifically devoted to DNS issues? This is not a good start. Thanks Cynthia Rittenhouse, MCSE, CCNA LAN Administrator County of Lancaster List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] setting up DNS
The root hints are all there. On the properties of the DNS server, since I am not yet an active directory environment, should I load zone data on startup from file, registry, or active directory and registry? -Original Message- From: SALANDRA, JUSTIN [mailto:[EMAIL PROTECTED]] Sent: Monday, April 01, 2002 09:15 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS They can. My servers here query root servers directly. You need to be sure that the root hints tab is filled in with all the root servers. This is done when you configure your DNS server as a non root server. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 5:01 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] setting up DNS We don't want to use our ISP's DNS servers because they are unreliable and we have had problems with them in the past. Why can't my 2000 DNS server query the root servers directly? -Original Message- From: DeGrands, Charles [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 16:54 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS You need to enable that and then add your ISP's DNS servers to the field. -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 1:37 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS Enable Forwarders is not checked. -Original Message- From: Hutchins, Mike [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 16:26 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS On the server do a right click, go to properties. See on the forwarders tab if forwarders are enabled, but forwarding server list is blank. -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 2:22 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] setting up DNS I am trying to setup a Windows 2000 DNS server to prepare for active directory. We are still an NT4.0 domain. I followed the guidelines in Q300202 How to Configure DNS for Internet Access. I created a forward lookup zone for what will be our active directory domain (an internal domain name). It is the first DNS server, standard primary, I removed the "." under forward lookup zone and the root hints are there. The server is pointing to itself for DNS. I don't understand why it won't resolve internet names. I can ping outside the network with no problem, and if I enter the IP address of the local Novell DNS server, name resolution is fine. Any ideas? Is there a group specifically devoted to DNS issues? This is not a good start. Thanks Cynthia Rittenhouse, MCSE, CCNA LAN Administrator County of Lancaster List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] setting up DNS
You may be onto something here, I noticed that the Cache listing on my old NT DNS server contains many more entries than the new 2000 DNS server. It finally found www.msn.com, but it took almost 90 minutes for all the msn information to appear in cached lookups. When I go to msn and click a link to another site, I get page cannot be displayed. So, now I am not sure if I am dealing with a DNS configuration issue or could it be a network issues. However, our Novell DNS server, which is on the same switch, is working perfectly. -Original Message- From: Linton Smith (WBTQ) [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 17:12 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS You're right - it should. In DNS Admin, choose View, Advanced so you can see the DNS cached entries. Select the cache, right click and choose Clear Cache. Then go to a cmd prompt on the client you are using for testing (this might be the server itself) and type ipconfig /flushdns. Try resolving again. HTH, Linton -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 5:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS We don't want to use our ISP's DNS servers because they are unreliable and we have had problems with them in the past. Why can't my 2000 DNS server query the root servers directly? -Original Message- From: DeGrands, Charles [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 16:54 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS You need to enable that and then add your ISP's DNS servers to the field. -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 1:37 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS Enable Forwarders is not checked. -Original Message- From: Hutchins, Mike [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 16:26 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS On the server do a right click, go to properties. See on the forwarders tab if forwarders are enabled, but forwarding server list is blank. -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 2:22 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] setting up DNS I am trying to setup a Windows 2000 DNS server to prepare for active directory. We are still an NT4.0 domain. I followed the guidelines in Q300202 How to Configure DNS for Internet Access. I created a forward lookup zone for what will be our active directory domain (an internal domain name). It is the first DNS server, standard primary, I removed the "." under forward lookup zone and the root hints are there. The server is pointing to itself for DNS. I don't understand why it won't resolve internet names. I can ping outside the network with no problem, and if I enter the IP address of the local Novell DNS server, name resolution is fine. Any ideas? Is there a group specifically devoted to DNS issues? This is not a good start. Thanks Cynthia Rittenhouse, MCSE, CCNA LAN Administrator County of Lancaster List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] setting up DNS
thank you, this was successfull -Original Message- From: Parker, Edward [mailto:[EMAIL PROTECTED]] Sent: Monday, April 01, 2002 12:05 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS To ensure query the root servers is working, run the following from the console of your 2000 DNS server. >From a CMD prompt >Nslookup >Set norec >Set nosearch >www.compaq.com. <---Yes use the trailing "." this should list root serverssince you are hitting the local DNS server that is non-authoritative for compaq.com...(unless you work at Compaq) change your server to a root server listed. (if nothing is listed, turn recursion back on. Set rec. Re-Run the query, Then turn it back off. This should put Compaq.com in cache.) >server e.root-servers.net ?www.compaq.com. <---Yes use the trailing "." change to one of their name servers >server name.name.compaq.com ask again >www.compaq.com. <---Yes use the trailing "." If all this worked, then you are querying the root zones, or at least have the potential to if your servers are configured correctly. -Original Message- From: Linton Smith (WBTQ) [mailto:[EMAIL PROTECTED]] Sent: Monday, April 01, 2002 10:31 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS The cache is only populated as clients request resolution of something, so differences in the cache are nothing to be concerned about. Like I said, you should try clearing the cache. No harm will come from this - it will be repopulated as per client requests. To rule out firewalls, filters and proxies, you can simply try pinging a name. Clear the DNS cache, and then clear the TCP/IP client cache on the workstation you are testing with (ipconfig /flushdns). Then, from a cmd prompt, type "ping www.msn.com" (without quotes). If you see it pinging an IP number, then you know it resolved. Don't worry if the ping itself fails - most sites will block pings. We only want to ensure that the name is resolved to an IP number. Assuming it did, you should then see entries for com, msn, www in the DNS cache. HTH, Linton -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED]] Sent: Monday, April 01, 2002 11:12 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS You may be onto something here, I noticed that the Cache listing on my old NT DNS server contains many more entries than the new 2000 DNS server. It finally found www.msn.com, but it took almost 90 minutes for all the msn information to appear in cached lookups. When I go to msn and click a link to another site, I get page cannot be displayed. So, now I am not sure if I am dealing with a DNS configuration issue or could it be a network issues. However, our Novell DNS server, which is on the same switch, is working perfectly. -Original Message- From: Linton Smith (WBTQ) [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 17:12 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS You're right - it should. In DNS Admin, choose View, Advanced so you can see the DNS cached entries. Select the cache, right click and choose Clear Cache. Then go to a cmd prompt on the client you are using for testing (this might be the server itself) and type ipconfig /flushdns. Try resolving again. HTH, Linton -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 5:01 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS We don't want to use our ISP's DNS servers because they are unreliable and we have had problems with them in the past. Why can't my 2000 DNS server query the root servers directly? -Original Message- From: DeGrands, Charles [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 16:54 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS You need to enable that and then add your ISP's DNS servers to the field. -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 1:37 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS Enable Forwarders is not checked. -Original Message- From: Hutchins, Mike [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 16:26 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] setting up DNS On the server do a right click, go to properties. See on the forwarders tab if forwarders are enabled, but forwarding server list is blank. -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 2:22 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] setting up DNS I am trying to setup a Windows 2000 DNS server to prepare for active directory. We are still an NT4.0 domain. I followed the guidelines
[ActiveDir] Forest Prep and ADC
I am working in my test lab and I am unclear about the requirements for ForestPrep. I have an AD root domain and an NT domain. My AD root consists on 2 DCs only. DNS, DHCP, and WINS are in place. There is a trust between the domains. I have read that it is best to run ForestPrep at this point, but my Exchange 5.5 server (a W2K member server) is in the NT domain. I have documentation that says ADC must be installed in the Forest before I can run ForestPrep. Since the Exchange server is not located in the Forest/AD domain, do I need to install the ADC on one of these DCs. Will it allow me to join an existing Exchange 5.5 Organization in an NT domain. Do I need the ADC installed on the Exchange server before I Forest Prep the AD root domain. Thanks Cynthia Rittenhouse, MCSE, CCNA LAN Administrator County of Lancaster 900 E. King St. Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Forest Prep and ADC
Thanks, I can get it from TechNet, I was using the Guide to Upgrading from MS Exchange Server 5.5 to Exchange 2000 Server, and it left me unclear as to where the ADC was to be installed? I don't plan to upgrade Exchange for some time, but I wanted to extend the AD schema from the start, to avoid extensive replication time later. -Original Message-From: Lori Demkovich [mailto:[EMAIL PROTECTED]]Sent: Wednesday, June 05, 2002 10:20To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Forest Prep and ADC Cindy, what you need is the Exchange 2000 Internals Installation and Setup Guide, which I"ll send to you in a separate email if you wish. (But I think it is also on the Technet CD) Its an excellent doc. Essentially, you'll do the following: 1. Install the ADC 2. Run /Forestprep 3. Run /domainprep 4. Create required connection agreements 5. Go home and rest while replication is going on... 6. Run Exchange 2000 setup. When using the guide, use the section dedicated to Integrating with Exchange Server 5.5. Good luck and have fun! LCD -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED]] Sent: Wed 6/5/2002 10:10 AM To: [EMAIL PROTECTED] Cc: Subject: [ActiveDir] Forest Prep and ADC I am working in my test lab and I am unclear about the requirements forForestPrep. I have an AD root domain and an NT domain. My AD root consistson 2 DCs only. DNS, DHCP, and WINS are in place. There is a trust betweenthe domains. I have read that it is best to run ForestPrep at this point,but my Exchange 5.5 server (a W2K member server) is in the NT domain. I havedocumentation that says ADC must be installed in the Forest before I can runForestPrep. Since the Exchange server is not located in the Forest/ADdomain, do I need to install the ADC on one of these DCs. Will it allow meto join an existing Exchange 5.5 Organization in an NT domain. Do I need theADC installed on the Exchange server before I Forest Prep the AD rootdomain.ThanksCynthia Rittenhouse, MCSE, CCNALAN AdministratorCounty of Lancaster900 E. King St.Lancaster, PA 17602Phone: (717)293-7274
RE: [ActiveDir] Forest Prep and ADC
Thanks for all the tips, let the games begin.
-Original Message-From: Ayers, Diane
[mailto:[EMAIL PROTECTED]]Sent: Thursday, June 06, 2002
11:47To: '[EMAIL PROTECTED]'Subject: RE:
[ActiveDir] Forest Prep and ADC
That's the process we followed in our site. we just ran our first
CA's last week for 20,000 users without one error. WooHoo!. I'd
like to add a couple of points
There is a /schemaonly switch for the ADC install if you want
to do that first before installing the ADC.
If possible, Test your CA's in lab with duplicate AD accounts and
Exchange 5.5 objects. You may have to do a significant amount of clean
up of your 5.5 objects to get a clean replication from the start. We
identified about 10 "clean up items" that we had to perfrom in our 5.5
directory before we ran the first CA's on the ADC.
Use the NTDSNoMatch utility to flag those 5.5 objects that are
duplicate primary NT accounts. If you have more the one 5.5 object
attached to a single NT account, the ADC may mismatch objects. Adding
the NTDSnoMatch attribute prevents this.
Oh yea, did I say test before hand?
Have fun!
Diane
AyersTechnical
Lead, Active Directory ImplementationPacific Gas & Electric Co.Sacramento/San Francisco916.923.7140/415.973.0377
-Original Message-From: Lori Demkovich
[mailto:[EMAIL PROTECTED]]Sent: Wednesday, June 05, 2002
7:20 AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Forest Prep and ADC
Cindy, what you need is the Exchange 2000 Internals Installation
and Setup Guide, which I"ll send to you in a separate email if you
wish. (But I think it is also on the Technet CD) Its an
excellent doc. Essentially, you'll do the following:
1. Install the ADC
2. Run /Forestprep
3. Run /domainprep
4. Create required connection agreements
5. Go home and rest while replication is going on...
6. Run Exchange 2000 setup.
When using the guide, use the section dedicated to Integrating with
Exchange Server 5.5.
Good luck and have fun!
LCD
-Original Message- From: Rittenhouse,
Cindy [mailto:[EMAIL PROTECTED]] Sent: Wed
6/5/2002 10:10 AM To: [EMAIL PROTECTED] Cc:
Subject: [ActiveDir] Forest Prep and ADC
I am working in my test lab and I am unclear about the requirements
forForestPrep. I have an AD root domain and an NT domain. My AD root
consistson 2 DCs only. DNS, DHCP, and WINS are in place. There is a
trust betweenthe domains. I have read that it is best to run
ForestPrep at this point,but my Exchange 5.5 server (a W2K member
server) is in the NT domain. I havedocumentation that says ADC must be
installed in the Forest before I can runForestPrep. Since the Exchange
server is not located in the Forest/ADdomain, do I need to install the
ADC on one of these DCs. Will it allow meto join an existing Exchange
5.5 Organization in an NT domain. Do I need theADC installed on the
Exchange server before I Forest Prep the AD
rootdomain.ThanksCynthia Rittenhouse, MCSE, CCNALAN
AdministratorCounty of Lancaster900 E. King St.Lancaster, PA
17602Phone:
(717)293-7274
[ActiveDir] OT-Exchange 2003 Site Folder Server
Good morning, Can anybody explain the purpose of the site folder server in an Exchange 2003 native mode organization. The reason I am asking is because I recently ran the Exchange Best Practices Analyzer and the only critical issue it found was the Admin Group Site Folder Server deleted. My organization is now in native mode (msExchAdminGroupMode value = 0), my default offline address list server is defined, in my system folders I have at least 2 replicas of all Offline Address Books and Schedule + Free Busy folders, and things seem to be functioning OK. I have the procedure to correct the problem, but I would really like a better understanding of the purpose of the site folder and the implications of not have it defined. Thanks Cynthia Rittenhouse, MCSE Network Administrator County of Lancaster Lancaster, PA 17602 Phone:(717)293-7274 Note: The comments on and attachment to this e-mail are intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you received this in error, please contact the sender and delete the original message, any attachment(s) and copies. Thank you for your cooperation
RE: [ActiveDir] OT-Exchange 2003 Site Folder Server
During the Exchange 5.5 to Exchange 2003 migration, all public folders and system folders were moved to the first Exchange 2003 server and then removed from the Exchange 5.5 server using pfmigrate. Public folders and system folders were then replicated to other Exchange 2003 servers. The Exchange 5.5 server was then removed from the Exchange organization. This deleted exchange 5.5 server is listed as the Admin Group siteFolderServer. The migration was completed 6 months ago, and nobody has reported any problems. If this were a critical issue, I also would have expected to see some type of problem arise. There are several replicas of the system folders, which is why I was hoping to find more information on the purpose of the siteFolderServer. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Tuesday, August 23, 2005 10:15To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT-Exchange 2003 Site Folder Server Site Folder Considerations The first Exchange server that is installed into an administrative group contains the administrative group's site folders. The site folders maintain copies of the offline address list and the free and busy data for that administrative group. The site folders also hold replicas of other site folders from other administrative groups. If you try to delete a store that contains the site folders, Exchange System Manager will not delete the store until the site folders have been re-homed to another server in the administrative group. Therefore, to remove the first Exchange server in an administrative group, or to remove the public folder store that contains the site folders, you must first replicate the public folders to another Exchange server in the administrative group. Additionally, you must replicate the offline address list and the Schedule+ Free/Busy folder to another server. Are you sure things are working correctly? Those folders should be there for proper operation. I would expect some issues if that copy is missing or incorrect, although it could be housed elsewhere and the updates didn't occur correctly. Where's the server that's missing and what were you planning to do to correct the issue? From: [EMAIL PROTECTED] on behalf of Rittenhouse, Cindy (Police)Sent: Tue 8/23/2005 9:21 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT-Exchange 2003 Site Folder Server Good morning, Can anybody explain the purpose of the site folder server in an Exchange 2003 native mode organization. The reason I am asking is because I recently ran the Exchange Best Practices Analyzer and the only critical issue it found was the Admin Group Site Folder Server deleted. My organization is now in native mode (msExchAdminGroupMode value = 0), my default offline address list server is defined, in my system folders I have at least 2 replicas of all Offline Address Books and Schedule + Free Busy folders, and things seem to be functioning OK. I have the procedure to correct the problem, but I would really like a better understanding of the purpose of the site folder and the implications of not have it defined. Thanks Cynthia Rittenhouse, MCSE Network Administrator County of Lancaster Lancaster, PA 17602 Phone:(717)293-7274 Note: The comments on and attachment to this e-mail are intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you received this in error, please contact the sender and delete the original message, any attachment(s) and copies. Thank you for your cooperation
RE: [ActiveDir] OT-Exchange 2003 Site Folder Server
I have the procedure to update the DN of the siteFolderServer, but I am not familiar with sending "a meeting request for the AG to accept to cause it to update." Could you please point me to the specific KB you are referring to. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Tuesday, August 23, 2005 11:15To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT-Exchange 2003 Site Folder Server Hmm.. It's possible that the clients are using one of those replicas then. It's also possible that some clients take longer than they should to get/update their data. I may have misread the first time to read the folder itself. In your case, it sounds like the attribute didn't update and I would expect bpa to read that attribute and try to contact the server. When that fails, it would be consistent if it reported an error. I don't see it as a big deal to change the attribute to reflect the correct server. Did you already see the KB related? Basically, you would update the DN of the siteFolderServer and send a meeting request for the AG to accept to cause it to update. Doesn't sound critical as long as you have the replicas in place. Al From: [EMAIL PROTECTED] on behalf of Rittenhouse, Cindy (Police)Sent: Tue 8/23/2005 10:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT-Exchange 2003 Site Folder Server During the Exchange 5.5 to Exchange 2003 migration, all public folders and system folders were moved to the first Exchange 2003 server and then removed from the Exchange 5.5 server using pfmigrate. Public folders and system folders were then replicated to other Exchange 2003 servers. The Exchange 5.5 server was then removed from the Exchange organization. This deleted exchange 5.5 server is listed as the Admin Group siteFolderServer. The migration was completed 6 months ago, and nobody has reported any problems. If this were a critical issue, I also would have expected to see some type of problem arise. There are several replicas of the system folders, which is why I was hoping to find more information on the purpose of the siteFolderServer. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Tuesday, August 23, 2005 10:15To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT-Exchange 2003 Site Folder Server Site Folder Considerations The first Exchange server that is installed into an administrative group contains the administrative group's site folders. The site folders maintain copies of the offline address list and the free and busy data for that administrative group. The site folders also hold replicas of other site folders from other administrative groups. If you try to delete a store that contains the site folders, Exchange System Manager will not delete the store until the site folders have been re-homed to another server in the administrative group. Therefore, to remove the first Exchange server in an administrative group, or to remove the public folder store that contains the site folders, you must first replicate the public folders to another Exchange server in the administrative group. Additionally, you must replicate the offline address list and the Schedule+ Free/Busy folder to another server. Are you sure things are working correctly? Those folders should be there for proper operation. I would expect some issues if that copy is missing or incorrect, although it could be housed elsewhere and the updates didn't occur correctly. Where's the server that's missing and what were you planning to do to correct the issue? From: [EMAIL PROTECTED] on behalf of Rittenhouse, Cindy (Police)Sent: Tue 8/23/2005 9:21 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT-Exchange 2003 Site Folder Server Good morning, Can anybody explain the purpose of the site folder server in an Exchange 2003 native mode organization. The reason I am asking is because I recently ran the Exchange Best Practices Analyzer and the only critical issue it found was the Admin Group Site Folder Server deleted. My organization is now in native mode (msExchAdminGroupMode value = 0), my default offline address list server is defined, in my system folders I have at least 2 replicas of all Offline Address Books and Schedule + Free Busy folders, and things seem to be functioning OK. I have the procedure to correct the problem, but I would really like a better understanding of the purpose of the site folder and the implications of not have it defined. Thanks Cynthia Rittenhouse, MCSE Network Administrator County of Lancaster Lancaster, PA 17602 Phone:(717)293-7274 Note: The comments on and attachment to this e-mail are intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under appl
