Lots of random Active Directory issues
I am migrating my 03 domain to 08. Have decommissioned one of the 03 boxes, have one left. At the site that no longer has the 03 domain and does have the 08 domain I have several users that have strange issues
Will come back from lunch (after screen locks) and their account will be locked out, no other devices are trying to login as them (like from a phone etc). The account will sometimes only show its locked out on one DC (local) but not the other.
User will be unable to change their password - it says it does not meet the complexity requirements, but it does - Ive tried multiple passwords and the same passwords as others that work fine - but still says that. I CAN change it to these same passwords directly in ADUC, but NOT from their workstation. Looked in event viewer locally and on the domain she is on (did a gpresult /R to see what DC she was connected to), didnt see anything strange..
One user could not get in to her PC at all - not trusted by domain. I joined workgroup, then back to domain and then she could login. 3 hours later it seemed to happen again but I looked and her account was locked - so unlocking it she could then get back in. I looked in ADUC and searched her PC name, didnt find it at all. Looked a few hours later, it was in the correct OU where it should be.
Randomly their desktop shortcuts disappear (not too concerned with this yet, still troubleshooting it)
Obviously there are some replication issues going on - let me know what tests to run and I can post the results here. Everything I have looked at seems to be "ok".
Will come back from lunch (after screen locks) and their account will be locked out, no other devices are trying to login as them (like from a phone etc). The account will sometimes only show its locked out on one DC (local) but not the other.
User will be unable to change their password - it says it does not meet the complexity requirements, but it does - Ive tried multiple passwords and the same passwords as others that work fine - but still says that. I CAN change it to these same passwords directly in ADUC, but NOT from their workstation. Looked in event viewer locally and on the domain she is on (did a gpresult /R to see what DC she was connected to), didnt see anything strange..
One user could not get in to her PC at all - not trusted by domain. I joined workgroup, then back to domain and then she could login. 3 hours later it seemed to happen again but I looked and her account was locked - so unlocking it she could then get back in. I looked in ADUC and searched her PC name, didnt find it at all. Looked a few hours later, it was in the correct OU where it should be.
Randomly their desktop shortcuts disappear (not too concerned with this yet, still troubleshooting it)
Obviously there are some replication issues going on - let me know what tests to run and I can post the results here. Everything I have looked at seems to be "ok".
ASKER
Another thing that has happened a few times doing certain things...
Went to add telnet as a feature (hate that its disabled by default in 08!) - says the specified domain either does not exist or could not be contacted - I click choose a different DC, I then select the "DC with the operations master token for the pdc emulator", same issue, I try any available DC, same thing, then try any available DC again - then it works... This is ON one of the 08 DCs!
Went to add telnet as a feature (hate that its disabled by default in 08!) - says the specified domain either does not exist or could not be contacted - I click choose a different DC, I then select the "DC with the operations master token for the pdc emulator", same issue, I try any available DC, same thing, then try any available DC again - then it works... This is ON one of the 08 DCs!
Sounds like a DNS issue. Once we have the logs we can go from there.
Is your primary DNS on the DC's bound to 127.0.0.1 and the secondary bound to the other DNS server?
Is your primary DNS on the DC's bound to 127.0.0.1 and the secondary bound to the other DNS server?
ASKER
Attached.
SiteA (main site) - has sbdc01 (03 server, ready to be demoted, need to move dns/dhcp off first), also has mbidc01 a new 08 server that is running dns and AD etc)
siteb connected via p2p T1 has sbdc02 (03 server decommissioned, probably wont see anything about it) and mbidc02 new 08 server running AD/DNS/DHCP etc)
dcdiag.txt
repl.txt
SiteA (main site) - has sbdc01 (03 server, ready to be demoted, need to move dns/dhcp off first), also has mbidc01 a new 08 server that is running dns and AD etc)
siteb connected via p2p T1 has sbdc02 (03 server decommissioned, probably wont see anything about it) and mbidc02 new 08 server running AD/DNS/DHCP etc)
dcdiag.txt
repl.txt
ASKER
Also, mbiwarehouse is another 08 server at a 3rd location connected via VPN - its doing ad/dns/dhcp. There has been 0 issues with this site.
ALL DCs are doing DFS for shared folders/folder redirection etc.
SiteB (where the 03 box was decommissioned) is the only site having these issues, which is why I have not dcpromo sbdc01 yet - not a stable environment..
ALL DCs are doing DFS for shared folders/folder redirection etc.
SiteB (where the 03 box was decommissioned) is the only site having these issues, which is why I have not dcpromo sbdc01 yet - not a stable environment..
ASKER
Well either im going crazy, or someone else changed this as I remember doing it..
mbidc01 was set primary to sbdc01 and secondary to the dead dc!
Changing this to 127.0.0.1 as primary and mbidc02 as secondary (will do the same on mbidc02 if not done already)
mbidc01 was set primary to sbdc01 and secondary to the dead dc!
Changing this to 127.0.0.1 as primary and mbidc02 as secondary (will do the same on mbidc02 if not done already)
Ok, your replication is setup on MBIDC01 to only replicate from SBDC01 and not any of the other DC's. You should go into Active Directory Sites and Services and configure the domain controller to have connectors to the other DC's.
You're getting this in the DCDiag logs:
REPLICATION-RECEIVED LATENCY WARNING
MBIDC01: Current time is 2012-08-21 15:56:14.
CN=Schema,CN=Configuration
Last replication received from MBIDC02 at
2012-04-18 17:39:09
WARNING: This latency is over the Tombstone Lifetime of 60
days!
You're not replicating DNS to this domain controller. After you setup additional connectors in Sites and Serivices, if the above error does not go away (give it 30 min to an hour) then you may have to change your DNS Zone <DomainName> on the server MBIDC01 to be NOT active Directory integrated. Set it to Primary, and have it grab zone updates from the other DC's and then Active Directory Integrate it again.
You've also go this:
* Security Permissions Check for
CN=Configuration,DC=domain
(Configuration,Version 3)
I don't have an answer for this off the top of my head. But it's a security setting where the Enterprise Domain Controllers group doesn't have access to that directory partition. Which is bad. If you've disabled the default Domain Controllers GPO, this might be causing it. Or it could be a replicaiton issue (which should be fixed with the above steps) or it could be something has changed where the Enterprise Domain Controllers group has been stripped of rights. If the above steps for resolving replication/DNS don't work we can dig deeper into this one. For now, let's hope that replication takes care of it.
You're getting this in the DCDiag logs:
REPLICATION-RECEIVED LATENCY WARNING
MBIDC01: Current time is 2012-08-21 15:56:14.
CN=Schema,CN=Configuration
Last replication received from MBIDC02 at
2012-04-18 17:39:09
WARNING: This latency is over the Tombstone Lifetime of 60
days!
You're not replicating DNS to this domain controller. After you setup additional connectors in Sites and Serivices, if the above error does not go away (give it 30 min to an hour) then you may have to change your DNS Zone <DomainName> on the server MBIDC01 to be NOT active Directory integrated. Set it to Primary, and have it grab zone updates from the other DC's and then Active Directory Integrate it again.
You've also go this:
* Security Permissions Check for
CN=Configuration,DC=domain
(Configuration,Version 3)
I don't have an answer for this off the top of my head. But it's a security setting where the Enterprise Domain Controllers group doesn't have access to that directory partition. Which is bad. If you've disabled the default Domain Controllers GPO, this might be causing it. Or it could be a replicaiton issue (which should be fixed with the above steps) or it could be something has changed where the Enterprise Domain Controllers group has been stripped of rights. If the above steps for resolving replication/DNS don't work we can dig deeper into this one. For now, let's hope that replication takes care of it.
ASKER
"You should go into Active Directory Sites and Services and configure the domain controller to have connectors to the other DC's."
So go to ADSS, go to sites, then SITEA, then servers, then on the right I just see mbidc01 and sbdc01, right click new server and add mbidc02? Then do the same for SITEB and SITEC?
Noting that SiteC only has one server listed (mbiwarehouse), yet they have not had any issues at all.
So go to ADSS, go to sites, then SITEA, then servers, then on the right I just see mbidc01 and sbdc01, right click new server and add mbidc02? Then do the same for SITEB and SITEC?
Noting that SiteC only has one server listed (mbiwarehouse), yet they have not had any issues at all.
Right. You want to make sure there is a connector from each domain controller in a 1:1 scenario. I apologize but I'm getting lost with the names :-) I'm going to speak in generics.
DC1 -> Connector to DC2
Connector to DC3
DC2 -> Connector to DC1
Connector to DC3
DC3 -> Connector to DC1
Connector to DC2
There are valid reasons not to do this. Mainly cost of replicating over a slow site to site WAN connection, security reasons, if you have a site that has RODC's only and don't want to replicate to all of them etc etc. In your scenario, you can probably exclude the SiteC site.
DC1 -> Connector to DC2
Connector to DC3
DC2 -> Connector to DC1
Connector to DC3
DC3 -> Connector to DC1
Connector to DC2
There are valid reasons not to do this. Mainly cost of replicating over a slow site to site WAN connection, security reasons, if you have a site that has RODC's only and don't want to replicate to all of them etc etc. In your scenario, you can probably exclude the SiteC site.
ASKER
Got it - so click the server then click ntds settings then right click and new-connection. The one that is in there is <automatically generated> but then one I added has the server name. Why didnt these "auto generate"?
Under SiteB, servers, mbidc02 there were NO connections under ntds settings - shouldnt there be one that <auto generated>?
Now that these are complete - aside from not getting calls how can I tell if things are "healthy" In doing some of the connection tests from ntdsutil a while back it seemed everything was "healthy"...
Under SiteB, servers, mbidc02 there were NO connections under ntds settings - shouldnt there be one that <auto generated>?
Now that these are complete - aside from not getting calls how can I tell if things are "healthy" In doing some of the connection tests from ntdsutil a while back it seemed everything was "healthy"...
kk...it's been a few hours so now it should have replicated. So you can run the command:
repadmin /showrepl
from the command line. What you're looking for is that each connection was successful and the Last Attempt was done around the same time frame. If you have any errors then we'll need to look at dcdiag /v again to see what's wrong.
repadmin /showrepl
from the command line. What you're looking for is that each connection was successful and the Last Attempt was done around the same time frame. If you have any errors then we'll need to look at dcdiag /v again to see what's wrong.
Why didnt these "auto generate"?
DNS, replication issues on the other DC's, lag across a slow WAN, firewall issues....lots of reasons. You'll probably see them show up now that replication should be working.
Under SiteB, servers, mbidc02 there were NO connections under ntds settings - shouldnt there be one that <auto generated>?Yes there should have been, which is why you're having such intermittent issues. It's an island right now and not providing all services to the domain. You added a computer to the domain, but it wasn't replicated to this DC. The computer attempts to connect to this DC and you got the "Computer not trusted" error.
In doing some of the connection tests from ntdsutil a while back it seemed everything was "healthy"...
NTDSUtil is a tool but not overly great for getting information. Best tools in your belt for any Active Directory issues are dcdiag and repadmin. DCDiag gives you a quick overview of what's wrong, the /v switch is verbose and gives a lot of details. There are other switches but you can run dcdiag periodically just to check what's up with the DC's. The second tool repadmin shows the status of replication from the domain controller you are on to the other DC's in the forest. You need to run this on ALL DC's to get a clear picture if replication is working. Replication can work one way, but may break the other way.
By using those two tools you should get a quick idea of what's happening with your DC's. They are not the be-all-and-end-all of tools, but they do help to show you where to look when things aren't working quite right.
Hope that helps!
ASKER
Had a call this AM where a user was locked out for some reason. 3 of the 4 DCs had her as "locked out". After unlocking on all of them and having her reboot she could get back in. She was typing her password in right when she first walked in this AM so no clue how it got locked.
Attached updated files - did have one failure on repadmin - Last error: 1396 (0x574)
dcdiag.txt
rep.txt
Attached updated files - did have one failure on repadmin - Last error: 1396 (0x574)
dcdiag.txt
rep.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That is a valid computer (its mbidc02) - got this when doing that command
FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0
x00000525
Unable to locate account f1ff216e-db02-4cf7-a7f4-49
FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0
x00000525
Unable to locate account f1ff216e-db02-4cf7-a7f4-49
Is DNS running on MBIDC02? Does it accept NSLookup?
start - Run -cmd
nslookup
>server MBIDC02.domain.local
>www.google.com
>OtherDC.domain.local
Do any of those error out?
start - Run -cmd
nslookup
>server MBIDC02.domain.local
>www.google.com
>OtherDC.domain.local
Do any of those error out?
ASKER
Yes, yes, no - nslookup works fine.
mbidc02 is set primary dns to 127.0.0.1 and second to mbidc01
mbidc02 is set primary dns to 127.0.0.1 and second to mbidc01
ASKER
Also, I have been doing all of these tests from mbidc01, should I do them on mbidc02 as well?
Yes, please. We can get more details with the more DC's that are scanned.
ASKER
Is MBIDC02 an RODC? If that's the case then you need to run:
adprep /rodcprep
adprep /rodcprep
ASKER
No, its not - should be fully functional DC
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for DC=DomainDnsZones,DC=domainname,DC=local
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set
access rights for the naming context: DC=DomainDnsZones,DC=domainname,DC=local
* Security Permissions Check for DC=ForestDnsZones,DC=domainname,DC=local
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set
access rights for the naming context: DC=ForestDnsZones,DC=domainname,DC=local
* Security Permissions Check for CN=Schema,CN=Configuration,DC=domainname,DC=local
(Schema,Version 3)
* Security Permissions Check for CN=Configuration,DC=domainname,DC=local
(Configuration,Version 3)
* Security Permissions Check for DC=domainname,DC=local
(Domain,Version 3)
......................... MBIDC02 failed test NCSecDescIt thinks it's an RODC.....
ASKER
Just went in to ADUC clicked DCs, then opened up mbidc02, under type it says global catalog... How else can I be sure?
ASKER
Any other thoughts? If I dcpromo twice, anything special need to be done?
ASKER
Tried to just DCPromo this bi$*@ and got the following:
The operation failed because:
Active Directory Domain Services could not transfer the remaining data in directory partition CN=Schema,CN=Configuration
Active Directory Domain Controller MBIDC01.domainname.local.
"Logon Failure: The target account name is incorrect."
The operation failed because:
Active Directory Domain Services could not transfer the remaining data in directory partition CN=Schema,CN=Configuration
Active Directory Domain Controller MBIDC01.domainname.local.
"Logon Failure: The target account name is incorrect."
ASKER
If I do setspn mbidc02 FROM mbidc02 I get:
C:\>setspn mbidc02
Registered ServicePrincipalNames for CN=MBIDC02,OU=Domain Controllers,DC=domainname,
Microsoft Virtual System Migration Service/MBIDC02
Microsoft Virtual System Migration Service/MBIDC02.domainname
Microsoft Virtual Console Service/MBIDC02
Microsoft Virtual Console Service/MBIDC02.domainname
DNS/MBIDC02.domainname.loc
HOST/MBIDC02/domainname
HOST/MBIDC02.domainname.lo
exchangeAB/MBIDC02
exchangeAB/MBIDC02.domainn
HOST/MBIDC02.domainname.lo
GC/MBIDC02.domainname.loca
ldap/MBIDC02/domainname
ldap/f1ff216e-db02-4cf7-a7
ldap/MBIDC02.domainname.lo
ldap/MBIDC02
ldap/MBIDC02.domainname.lo
ldap/MBIDC02.domainname.lo
ldap/MBIDC02.domainname.lo
ldap/MBIDC02.domainname.lo
E3514235-4B06-11D1-AB04-00
f/domainname.local
NtFrs-88f5d2bd-b646-11d2-a
Dfsr-12F9A27C-BF97-4787-93
TERMSRV/MBIDC02
TERMSRV/MBIDC02.domainname
WSMAN/MBIDC02
WSMAN/MBIDC02.domainname.l
RestrictedKrbHost/MBIDC02
HOST/MBIDC02
RestrictedKrbHost/MBIDC02.
HOST/MBIDC02.domainname.lo
If I do the same from MBIDC01 I only get
C:\>setspn mbidc02
Registered ServicePrincipalNames for CN=MBIDC02,OU=Domain Controllers,DC=domainname,
E3514235-4B06-11D1-AB04-00
f/domainname.local
Dfsr-12F9A27C-BF97-4787-93
MSSQLSvc/MBIDC02.domainnam
MSSQLSvc/MBIDC02.domainnam
TERMSRV/MBIDC02
TERMSRV/MBIDC02.domainname
WSMAN/MBIDC02
WSMAN/MBIDC02.domainname.l
RestrictedKrbHost/MBIDC02
HOST/MBIDC02
RestrictedKrbHost/MBIDC02.
HOST/MBIDC02.domainname.lo
C:\>setspn mbidc02
Registered ServicePrincipalNames for CN=MBIDC02,OU=Domain Controllers,DC=domainname,
Microsoft Virtual System Migration Service/MBIDC02
Microsoft Virtual System Migration Service/MBIDC02.domainname
Microsoft Virtual Console Service/MBIDC02
Microsoft Virtual Console Service/MBIDC02.domainname
DNS/MBIDC02.domainname.loc
HOST/MBIDC02/domainname
HOST/MBIDC02.domainname.lo
exchangeAB/MBIDC02
exchangeAB/MBIDC02.domainn
HOST/MBIDC02.domainname.lo
GC/MBIDC02.domainname.loca
ldap/MBIDC02/domainname
ldap/f1ff216e-db02-4cf7-a7
ldap/MBIDC02.domainname.lo
ldap/MBIDC02
ldap/MBIDC02.domainname.lo
ldap/MBIDC02.domainname.lo
ldap/MBIDC02.domainname.lo
ldap/MBIDC02.domainname.lo
E3514235-4B06-11D1-AB04-00
f/domainname.local
NtFrs-88f5d2bd-b646-11d2-a
Dfsr-12F9A27C-BF97-4787-93
TERMSRV/MBIDC02
TERMSRV/MBIDC02.domainname
WSMAN/MBIDC02
WSMAN/MBIDC02.domainname.l
RestrictedKrbHost/MBIDC02
HOST/MBIDC02
RestrictedKrbHost/MBIDC02.
HOST/MBIDC02.domainname.lo
If I do the same from MBIDC01 I only get
C:\>setspn mbidc02
Registered ServicePrincipalNames for CN=MBIDC02,OU=Domain Controllers,DC=domainname,
E3514235-4B06-11D1-AB04-00
f/domainname.local
Dfsr-12F9A27C-BF97-4787-93
MSSQLSvc/MBIDC02.domainnam
MSSQLSvc/MBIDC02.domainnam
TERMSRV/MBIDC02
TERMSRV/MBIDC02.domainname
WSMAN/MBIDC02
WSMAN/MBIDC02.domainname.l
RestrictedKrbHost/MBIDC02
HOST/MBIDC02
RestrictedKrbHost/MBIDC02.
HOST/MBIDC02.domainname.lo
ASKER
Did a setspn that actually took - used command off ms site
in group policy (needed to do it in default domain controllers policy AND default default domain policy) go to policies, windows, security, local policies/user right assignment, access this computer from the network - be sure enterprise domain controllers,authenticated users,administrators are all listed.
Somehow under the top domain controllers OU clicking on mbidc02 didnt have the "trust for delegation" box checked...
Going to ADUC then users and then domain controllers "group" then going to members tab it did not show mbidc02, if I tried to add it it acted as if that was not a computer. Yet above in the top level domain controllers folder (ou) mbidc02 was listed. After changing the above it was displayed correctly.
I am now getting 2042 and 1925 in event viewer / directory service. Talking about it cant replicate because of tombstone live of 60 days referencing mbidc02, which is not even 60 days old!
in group policy (needed to do it in default domain controllers policy AND default default domain policy) go to policies, windows, security, local policies/user right assignment, access this computer from the network - be sure enterprise domain controllers,authenticated users,administrators are all listed.
Somehow under the top domain controllers OU clicking on mbidc02 didnt have the "trust for delegation" box checked...
Going to ADUC then users and then domain controllers "group" then going to members tab it did not show mbidc02, if I tried to add it it acted as if that was not a computer. Yet above in the top level domain controllers folder (ou) mbidc02 was listed. After changing the above it was displayed correctly.
I am now getting 2042 and 1925 in event viewer / directory service. Talking about it cant replicate because of tombstone live of 60 days referencing mbidc02, which is not even 60 days old!
ASKER
Ended up disjoin from domain and rejoin - problems went away.
thanks microsoft
thanks microsoft
repadmin /showrepl
Post those results from your DC's as text files (remove any sensitive information) and we can try to figure out what's going on.