Showing posts with label Active Directory. Show all posts
Showing posts with label Active Directory. Show all posts

Friday, March 10, 2017

[SOLVED] How to Resolve Error 8614

I ran into this issue with two Domain Controllers that would not replicate.  DC2 was getting this error: "The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime"

Below are the steps I went through in order to remedy this situation and worked like a charm.

1. Verify which Domain Controller raised the 8614 error by using:

> repadmin /showrepl
or
> repadmin /showreps

* Run this command line in any DC not DC-A.

* In addition, open Event Viewer, in Applications and Services LogsDirectory Service, you will see an error with event ID 2042




According to Mirosoft knowledge base, it's maybe because the domain controller contains what so called lingering objects: http://support.microsoft.com/kb/2020053. This is the most possible reason for the error, because everything else are OK (time, default tombstone lifetime).


2. So, I have to remove those lingering objects from all DCs:

> repadmin /removelingeringobjects DC-A.MYDOMAIN.COM 5b0b944e-de7b-4f96-942b-1e040169db36 "CN=Configuration,DC=MYDOMAIN,DC=COM"

+ DC-A.MYDOMAIN.COM : FQDN of DC-A

+ 5b0b944e-de7b-4f96-942b-1e040169db36 : the GUID of DC-A. You can get it from the command repadmin /showrepl DC-A.

+ "CN=Configuration,DC=MYDOMAIN,DC=COM": NC in which DC-A raise the error (from the output of the command repadmin /showrepl)

* Repeat in all other DCs in forest.


3. Evaluate setting strict replication on all DCs in forest:

> repadmin /regkey * +strict


4. Set "Allow replication with divergent and corrupt partner = 1" on all DCs:

> repadmin /regkey * +allowDivergent


5. Flush DNS Cache and restart netlogon service in DC-A:

> ipconfig /flushdns

> net stop netlogon

+ rename netlogon.dns and netlogon.dnb file which locate in C:\Windows\System32\

> ipconfig /flushdns

+ > net start netlogon (this command will re-create netlogon.dns and netlogon.dnb files)

> ipconfig /registerdns


6. Check the replication of all DCs again using repadmin and Event Viewer

> repadmin /showrepl


7. Delete "Allow replication with divergent and corrupt partner" or set "Allow replication with divergent and corrupt partner = 0" in the registry of all DCs.

> repadmin /regkey * -allowDivergent


8. Check the replication of all DCs again using repadmin and Event Viewer


If you performed everything correctly, the Domain Controllers will now replicate successfully.
Posted by at 1 comment:
Labels: ,

Thursday, May 15, 2014

AD Health Checks for Domain Controllers

I recently had a request from a customer to provide some reports on how well their AD replication was working.  I found these come in helpful during routine maintenance or for specific requests on health checks.

Hope these help.

Dcdiag.exe /v >> c:\temp\pre_dcdiag.txt
This is a must!  It will always tell you if there is trouble with your DCs and/or services associated with it.

Netdiag.exe /v >> c:\temp\pre_Netdiag.txtThis will let you know if there are issues with the networking components on the DC.

Netsh dhcp show server >> c:\temp\pre_dhcp.txtYou may not want to do this but I've ran into issues with a DHCP server somehow not being authorized after a patch.  This allows me verify the server count and names.

Repadmin /showreps >> c:\temp\pre_rep_partners.txtThis shows all replication and if it was successful or not.  Be aware that Global Catalogs will have more info than a normal domain controller.

repadmin /replsum /errorsonly >> c:\temp\pre_repadmin_err.txtThis command takes a while to run but will let you know which server are having issues replicating.

Update 04/08/15:  Below is the text you can put into a script file that will dump everything you need into one text file for you to use for troubleshooting.  The commands above are great if that's all you need but now I use this script to grab it all at once.

@Echo Off
ECHO Running AD Health Checks - Notepad will open after completion
ECHO This Command Prompt will close after you close Notepad
set logfile=%userprofile%\Desktop\ADHealth.txt
echo You can share this log using http://pastie.org/pastes/new > %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM Finds system boot time
echo System Boot Time ------------------------------------------------------------- >> %logfile%
systeminfo | find "System Boot Time:" >> %logfile%
systeminfo | find "System Up Time:" >> %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM Displays all current TCP/IP network configuration values
echo IPCONFIG ------------------------------------------------------------- >> %logfile%
ipconfig /all >> %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM Analyse the state of domain controllers in a forest and reports any problems to assist in troubleshooting
echo DCDIAG ------------------------------------------------------------- >> %logfile%
dcdiag /a >> %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM The replsummary operation quickly summarizes the replication state and relative health
echo Replsummary ------------------------------------------------------------- >> %logfile%
repadmin /replsummary >> %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM Displays the replication partners for each directory partition on the specified domain controller
echo Showrepl ------------------------------------------------------------- >> %logfile%
repadmin /showrepl >> %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM Query FSMO roles
echo NETDOM Query FSMO ------------------------------------------------------------- >> %logfile%
netdom query fsmo >> %logfile%
REM Query Global Catalogs
echo List Global Catalogs ------------------------------------------------------------- >> %logfile%
for /f "tokens=2" %%a in ('systeminfo ^| findstr Domain:') do set domain=%%a
nslookup -querytype=srv _gc._tcp.%domain% >> %logfile%
notepad %logfile%
Posted by at No comments:
Labels:

Saturday, August 17, 2013

"Active Directory Replication is taking longer than expected" message stops SBS installation

SBS 2008 Event ID 13552 and 13555

Today I'm working a migration from SBS 2008 to SBS 2011.  This error came up.  In order to apply a fix I had to do some digging to get rid of this error.  The new SBS 2011 VM could not become a domain controller until this was fixed so here's what I have done.

Once this process is done then click Yes on the prompt from the new SBS server.  Replication will successfully complete and the setup of SBS 2011 will continue.

- Performing an authoritative restore:

1) Click Start, click Run, type cmd, and then click OK.
2) At the command prompt, type the following command, and then press ENTER:
net stop ntfrs
3) Click Start -> Run, type regedit, and then click OK.
4) Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
5) Right-click the BurFlags entry, and then click Modify.
6) In the Value data box, type D4 and then click OK, on the File menu, click Exit.
7) At the command prompt, type the following command, and then press ENTER:
 net start ntfrs


 
Posted by at No comments:
Labels: , , ,

Wednesday, May 29, 2013

Server 2012 Event ID 13555

I ran into this one today.  It involved two brand new 2012 servers that had only been in service since December of 2012.  The error appears to have started on 4/27/2013 and didn't present itself as an issue (since there's no IT staff there to review server logs) until new workstations were being put in and group policy was not applying to some of them.

The event log gave error 1355.  In order to fix it you need to do a non-authoritative restore of the SYSVOL folder.  Just make a simple backup of it just in case from another good domain controller.  Follow the steps below and for me it fixed it right away.  There's no need to restart the server and I noticed the replication began and ran properly right away.

Here's the exact fix:

To back up and restore the SYSVOL data, follow these steps:
  1. Back up the following folders in a temporary location that is not in the SYSVOL folder:
    • %SystemRoot%\SYSVOL\Domain\Policies
    • %SystemRoot%\SYSVOL\Domain\Scripts
    Note To retain the permissions for these folders, back up these folders in a location that is on the same volume as the SYSVOL folder.
  2. Perform a non-authoritative restore on this replica set. To do this, follow these steps:
    1. Click Start, click Run, type cmd, and then click OK.
    2. At the command prompt, type the following command, and then press ENTER:
      net stop ntfrs
    3. Click Start, click Run, type regedit, and then click OK.
    4. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
    5. Right-click the
      BurFlags
      entry, and then click Modify.
    6. In the Value data box, type D2, and then click OK.
    7. On the File menu, click Exit.
    8. At the command prompt, type the following command, and then press ENTER:
      net start ntfrs
Posted by at No comments:
Labels: ,

Friday, July 27, 2012

AD User List Query

I found this script on the web some time ago and it's great to dump all of the users out of AD into an Excel file.  I've been asked to do this many times for a variety of reasons.  Just copy this text exactly, place the script on a DC and run.  That's all it takes.


Dim ObjWb
Dim ObjExcel
Dim x, zz
Set objRoot = GetObject("LDAP://RootDSE")
strDNC = objRoot.Get("DefaultNamingContext")
Set objDomain = GetObject("LDAP://" & strDNC) ' Bind to the top of the Domain using LDAP using ROotDSE
Call ExcelSetup("Sheet1") ' Sub to make Excel Document
x = 1
Call enummembers(objDomain)
Sub enumMembers(objDomain)
On Error Resume Next
Dim Secondary(20) ' Variable to store the Array of 2ndary email alias's
For Each objMember In objDomain ' go through the collection

If ObjMember.Class = "user" Then ' if not User object, move on.
x = x +1 ' counter used to increment the cells in Excel

    objwb.Cells(x, 1).Value = objMember.Class
    ' I set AD properties to variables so if needed you could do Null checks or add if/then's to this code
    ' this was done so the script could be modified easier.
SamAccountName = ObjMember.samAccountName
Cn = ObjMember.CN
FirstName = objMember.GivenName
LastName = objMember.sn
initials = objMember.initials
Descrip = objMember.description
Office = objMember.physicalDeliveryOfficeName
Telephone = objMember.telephonenumber
EmailAddr = objMember.mail
WebPage = objMember.wwwHomePage
Addr1 = objMember.streetAddress
City = objMember.l
State = objMember.st
ZipCode = objMember.postalCode
Title = ObjMember.Title
Department = objMember.Department
Company = objMember.Company
Manager = ObjMember.Manager
Profile = objMember.profilePath
LoginScript = objMember.scriptpath
HomeDirectory = ObjMember.HomeDirectory
HomeDrive = ObjMember.homeDrive
AdsPath = Objmember.Adspath
LastLogin = objMember.LastLogin

zz = 1 ' Counter for array of 2ndary email addresses
For each email in ObjMember.proxyAddresses
     If Left (email,5) = "SMTP:" Then
Primary = Mid (email,6) ' if SMTP is all caps, then it's the Primary
     ElseIf Left (email,5) = "smtp:" Then
        Secondary(zz) = Mid (email,6) ' load the list of 2ndary SMTP emails into Array.
        zz = zz + 1
     End If
Next
' Write the values to Excel, using the X counter to increment the rows.

objwb.Cells(x, 2).Value = SamAccountName
objwb.Cells(x, 3).Value = CN
objwb.Cells(x, 4).Value = FirstName
objwb.Cells(x, 5).Value = LastName
objwb.Cells(x, 6).Value = Initials
objwb.Cells(x, 7).Value = Descrip
objwb.Cells(x, 8).Value = Office
objwb.Cells(x, 9).Value = Telephone
objwb.Cells(x, 10).Value = EmailAddr
objwb.Cells(x, 11).Value = WebPage
objwb.Cells(x, 12).Value = Addr1
objwb.Cells(x, 13).Value = City
objwb.Cells(x, 14).Value = State
objwb.Cells(x, 15).Value = ZipCode
objwb.Cells(x, 16).Value = Title
objwb.Cells(x, 17).Value = Department
objwb.Cells(x, 18).Value = Company
objwb.Cells(x, 19).Value = Manager
objwb.Cells(x, 20).Value = Profile
objwb.Cells(x, 21).Value = LoginScript
objwb.Cells(x, 22).Value = HomeDirectory
objwb.Cells(x, 23).Value = HomeDrive
objwb.Cells(x, 24).Value = Adspath
objwb.Cells(x, 25).Value = LastLogin
objwb.Cells(x,26).Value = Primary

' Write out the Array for the 2ndary email addresses.
For ll = 1 To 20
objwb.Cells(x,26+ll).Value = Secondary(ll)
Next
' Blank out Variables in case the next object doesn't have a value for the property
SamAccountName = "-"
Cn = "-"
FirstName = "-"
LastName = "-"
initials = "-"
Descrip = "-"
Office = "-"
Telephone = "-"
EmailAddr = "-"
WebPage = "-"
Addr1 = "-"
City = "-"
State = "-"
ZipCode = "-"
Title = "-"
Department = "-"
Company = "-"
Manager = "-"
Profile = "-"
LoginScript = "-"
HomeDirectory = "-"
HomeDrive = "-"
Primary = "-"
For ll = 1 To 20
Secondary(ll) = ""
Next
    End If
 
    ' If the AD enumeration runs into an OU object, call the Sub again to itinerate
 
    If objMember.Class = "organizationalUnit" or OBjMember.Class = "container" Then
        enumMembers (objMember)
    End If
Next
End Sub
Sub ExcelSetup(shtName) ' This sub creates an Excel worksheet and adds Column heads to the 1st row
Set objExcel = CreateObject("Excel.Application")
Set objwb = objExcel.Workbooks.Add
Set objwb = objExcel.ActiveWorkbook.Worksheets(shtName)
Objwb.Name = "Active Directory Users" ' name the sheet
objwb.Activate
objExcel.Visible = True
objwb.Cells(1, 2).Value = "SamAccountName"
objwb.Cells(1, 3).Value = "CN"
objwb.Cells(1, 4).Value = "FirstName"
objwb.Cells(1, 5).Value = "LastName"
objwb.Cells(1, 6).Value = "Initials"
objwb.Cells(1, 7).Value = "Descrip"
objwb.Cells(1, 8).Value = "Office"
objwb.Cells(1, 9).Value = "Telephone"
objwb.Cells(1, 10).Value = "Email"
objwb.Cells(1, 11).Value = "WebPage"
objwb.Cells(1, 12).Value = "Addr1"
objwb.Cells(1, 13).Value = "City"
objwb.Cells(1, 14).Value = "State"
objwb.Cells(1, 15).Value = "ZipCode"
objwb.Cells(1, 16).Value = "Title"
objwb.Cells(1, 17).Value = "Department"
objwb.Cells(1, 18).Value = "Company"
objwb.Cells(1, 19).Value = "Manager"
objwb.Cells(1, 20).Value = "Profile"
objwb.Cells(1, 21).Value = "LoginScript"
objwb.Cells(1, 22).Value = "HomeDirectory"
objwb.Cells(1, 23).Value = "HomeDrive"
objwb.Cells(1, 24).Value = "Adspath"
objwb.Cells(1, 25).Value = "LastLogin"
objwb.Cells(1, 26).Value = "Primary SMTP"
End Sub
MsgBox "Done" ' show that script is complete 
Posted by at No comments:
Labels:

Thursday, June 21, 2012

Promote 2008 Server Core to a Domain Controller

To promote the server to be a DC in your domain, enter the following command:

Dcpromo /unattend /replicaOrnewDomain:replica
/replicaDomainDNSName:mydomain.local /ConfirmGC:yes
/username:mydomain\administrator /Password:*
/safeModeAdminPassword:LetmeIn123

This will run dcpromo adding the server as a global catalog server to the mydomain.local domain. The Domain restore Mode password will be set to LetMeIn123. You will be asked to enter the domain administrator password when the command is run (by way of the /password:* command)

Allow the process to complete.  Once it does the server will automatically reboot and will be a domain controller.
Posted by at No comments:
Labels: , ,

Saturday, June 09, 2012

Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS)

Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS)

If you're getting this error trying to move mailboxes from Exchange 2003 or 2007 to Exchange 2010 then here's the simple fix.
  • Go into the user's account in AD and go to the Security tab. 
  • Check the box to Inherit permissions. If it's already set, clear it, force an AD update, and then check the box again. 

I had 2 boxes do this on my last Exchange migration. It's a real pain to find out after you've waited on the mailbox to copy but a very easy fix.
Posted by at No comments:
Labels: , , ,

Friday, April 29, 2011

Removing AD DC Metadata Script

This is a very useful script to automatically remove the metadata from Active Directory upon the loss of a domain controller that cannot be recovered or you will not be replacing and cannot gracefully demote. Just copy the text below and create your own script.

**I didn't write this script but since it is very useful I wanted to post it as another place to find it**

REM ==========================================================
REM GUI Metadata Cleanup Utility
REM Written By Clay Perrine
REM Version 2.5
REM ==========================================================
REM This tool is furnished "AS IS". NO warranty is expressed or Implied.

on error resume next
dim objRoot,oDC,sPath,outval,oDCSelect,objConfiguration,objContainer,errval,ODCPath,ckdcPath,myObj,comparename

rem =======This gets the name of the computer that the script is run on ======

Set sh = CreateObject("WScript.Shell")
key= "HKEY_LOCAL_MACHINE"
computerName = sh.RegRead(key & "\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName\ComputerName")

rem === Get the default naming context of the domain====

set objRoot=GetObject("LDAP://RootDSE")
sPath = "LDAP://OU=Domain Controllers," & objRoot.Get("defaultNamingContext")

rem === Get the list of domain controllers====

Set objConfiguration = GetObject(sPath)
For Each objContainer in objConfiguration
outval = outval & vbtab & objContainer.Name & VBCRLF
Next
outval = Replace(outval, "CN=", "")

rem ==Retrieve the name of the broken DC from the user and verify it's not this DC.===

oDCSelect= InputBox (outval," Enter the computer name to be removed","")
comparename = UCase(oDCSelect)

if comparename = computerName then
msgbox "The Domain Controller you entered is the machine that is running this script." & vbcrlf & _
"You cannot clean up the metadata for the machine that is running the script!",,"Metadata Cleanup Utility Error."
wscript.quit
End If

sPath = "LDAP://OU=Domain Controllers," & objRoot.Get("defaultNamingContext")
Set objConfiguration = GetObject(sPath)

For Each objContainer in objConfiguration
Err.Clear
ckdcPath = "LDAP://" & "CN=" & oDCSelect & ",OU=Domain Controllers," & objRoot.Get("defaultNamingContext")
set myObj=GetObject(ckdcPath)
If err.number <>0 Then
errval= 1
End If
Next

If errval = 1 then
msgbox "The Domain Controller you entered was not found in the Active Directory",,"Metadata Cleanup Utility Error."
wscript.quit
End If

abort = msgbox ("You are about to remove all metadata for the server " & oDCSelect & "! Are you sure?",4404,"WARNING!!")
if abort <> 6 then
msgbox "Metadata Cleanup Aborted.",,"Metadata Cleanup Utility Error."
wscript.quit
end if

oDCSelect = "CN=" & oDCSelect
ODCPath ="LDAP://" & oDCselect & ",OU=Domain Controllers," & objRoot.Get("defaultNamingContext")
sSitelist = "LDAP://CN=Sites,CN=Configuration," & objRoot.Get("defaultNamingContext")
Set objConfiguration = GetObject(sSitelist)
For Each objContainer in objConfiguration
Err.Clear
sitePath = "LDAP://" & oDCSelect & ",CN=Servers," & objContainer.Name & ",CN=Sites,CN=Configuration," & _
objRoot.Get("defaultNamingContext")
set myObj=GetObject(sitePath)
If err.number = 0 Then
siteval = sitePath
End If
Next

sFRSSysvolList = "LDAP://CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System," & _
objRoot.Get("defaultNamingContext")
Set objConfiguration = GetObject(sFRSSysvolList)

For Each objContainer in objConfiguration
Err.Clear
SYSVOLPath = "LDAP://" & oDCSelect & ",CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System," & _
objRoot.Get("defaultNamingContext")
set myObj=GetObject(SYSVOLPath)
If err.number = 0 Then
SYSVOLval = SYSVOLPath
End If
Next

SiteList = Replace(sSitelist, "LDAP://", "")
VarSitelist = "LDAP://CN=Sites,CN=Configuration," & objRoot.Get("defaultNamingContext")
Set SiteConfiguration = GetObject(VarSitelist)

For Each SiteContainer in SiteConfiguration
Sitevar = SiteContainer.Name
VarPath ="LDAP://OU=Domain Controllers," & objRoot.Get("defaultNamingContext")
Set DCConfiguration = GetObject(VarPath)
For Each DomContainer in DCConfiguration
DCVar = DomContainer.Name
strFromServer = ""
NTDSPATH = DCVar & ",CN=Servers," & SiteVar & "," & SiteList
GuidPath = "LDAP://CN=NTDS Settings,"& NTDSPATH
Set objCheck = GetObject(NTDSPATH)
For Each CheckContainer in objCheck
rem ====check for valid site paths =======================
ldapntdspath = "LDAP://" & NTDSPATH
Err.Clear
set exists=GetObject(ldapntdspath)
If err.number = 0 Then
Set oGuidGet = GetObject(GuidPath)
For Each objContainer in oGuidGet
oGuid = objContainer.Name
oGuidPath = "LDAP://" & oGuid & ",CN=NTDS Settings," & NTDSPATH
Set objSitelink = GetObject(oGuidPath)
objSiteLink.GetInfo
strFromServer = objSiteLink.Get("fromServer")
ispresent = Instr(1,strFromServer,oDCSelect,1)

if ispresent <> 0 then
Set objReplLinkVal = GetObject(oGuidPath)
objReplLinkVal.DeleteObject(0)
end if
next

sitedelval = "CN=" & comparename & ",CN=Servers," & SiteVar & "," & SiteList
if sitedelval = ntdspath then
Set objguidpath = GetObject(guidpath)
objguidpath.DeleteObject(0)
Set objntdspath = GetObject(ldapntdspath)
objntdspath.DeleteObject(0)
end if
End If
next
next
next
Set AccountObject = GetObject(ckdcPath)
temp=Accountobject.Get ("userAccountControl")
AccountObject.Put "userAccountControl", "4096"
AccountObject.SetInfo
Set objFRSSysvol = GetObject(SYSVOLval)
objFRSSysvol.DeleteObject(0)
Set objComputer = GetObject(ckdcPath)
objComputer.DeleteObject(0)
Set objConfig = GetObject(siteval)
objConfig.DeleteObject(0)
oDCSelect = Replace(oDCSelect, "CN=", "")
msgval = "Metadata Cleanup Completed for " & oDCSelect
msgbox msgval,,"Notice."
wscript.quit
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)