Category Archives: Active Directory

Replication after tombstone life expired

 

As I was preparing for Exchange migration from 2010 to 2013 I had two DCs, one of those two DCs was off for about 8 months and has already passed the default tomb stone life so it was not authorized for replication in the forest.

Whenever I try to replicate the server I get the following error

 

image

 

image

“The following error occurred during the attempt to syncronize naming context CN=Configuration,DC=Domain,DC=Local from Domain Controller AD to Domain Controller AD2; The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime. This operation will not continue.”

 

My FSMO roles holder and PDC is the demotesas.local domain so on this DC I will run the following command

W32tm /config /manualpeerlist:time.windows.com,0x1 /syncfromflags:manual /reliable:yes /update

 

clip_image001

 

And this

 

w32time & net start w32time & W32tm /resync /rediscover

 

clip_image002

 

On the additional DC

 

w32tm /config /syncfromflags:domhier /update

w32time & net start w32time & W32tm /resync /rediscover

 

If the above doesn’t work then I will go ahead and force replication to the tomb stoned DC by using the following command.

 

repadmin /regkey * +allowDivergent

 

clip_image003

 

Now we’ll replicate and see what happens

 

clip_image004

 

Problem solved

image

 

 

REF:

http://www.techieshelp.com/active-directory-replication-issues-after-timesync-problems/

https://social.technet.microsoft.com/Forums/windowsserver/en-US/893b09d8-636e-4f87-8260-11613a2a4e43/unable-to-replicate-between-2-dcs-error-message-exceeded-the-tombstone-lifetime?forum=winserverDS>

Prepare Schema for Exchange 2013 Migration while having Hybrid Integration with Exchange 2010

 

In a very interesting situation that I came through I had an environment with two DCs and Exchange 2010 that I had previously setup for Hybrid integration with Office 365 for demonstration with a trial subscription but I haven’t removed the integration after I finished my test and the trial expired and the tenant was deleted.

Next I intended to upgrade my existing Exchange 2010 to Exchange 2013 and setup coexistence between them however, I have stumbled in the step of preparation of AD schema for Exchange 2013. While trying to prepare the schema I got the following error

clip_image001

Setup /PrepareSchema /IAcceptExchangeServerLicenseTerms

Welcome to Microsoft Exchange Server 2013 Cumulative Update 8 Unattended Setup

Copying Files…

File copy complete. Setup will now collect additional information needed for

installation.

Performing Microsoft Exchange Server Prerequisite Check

Prerequisite Analysis FAILED

A hybrid deployment with Office 365 has been detected. Please ensure that you are running setup with the /TenantOrganizationConfig switch. To use the TenantOrganizationConfig switch you must first connect to your Exchange Online tenant via PowerShell and execute the following command: “Get-OrganizationConfig | Export-Clixml -Path MyTenantOrganizationConfig.XML”. Once the XML file has been generated, run setup with the TenantOrganizationConfig switch as follows “/TenantOrganizationConfig MyTenantOrganizationConfig.XML”.

If you continue to see this this message then it indicates that either the XML file specified is corrupt, or you are attempting to upgrade your on-premises Exchange installation to a build that isn’t compatible with the Exchange version of your Office 365 tenant. Your Office 365 tenant must be upgraded to a compatible version of Exchange before upgrading your on-premises Exchange installation. For

more information, see: http://go.microsoft.com/fwlink/?LinkId=262888

For more information, visit: http://technet.microsoft.com/library(EXCHG.150

)/ms.exch.setupreadiness.DidTenantSettingCreatedAnException.aspx The Exchange Server setup operation didn’t complete. More details can be found in ExchangeSetup.log located in the <SystemDrive>:ExchangeSetupLogs folder.

 

The Office 365 Hybrid setup was still there in my Exchange Console and since I couldn’t follow MS’s recommended steps to connect to O365 tenant and get the XML file then I had to do things manually.

First I connected to the EMC and removed all the instances that were created during the Exchange Hybrid Wizard Configuration

1- Organization Relationships

clip_image001[4]

 

image

 

2- Federation Trust

clip_image001[6]

clip_image002

 

3- Remote Domains

 

clip_image001[8]

clip_image002[4]

 

4- Accepted Domains

clip_image001[10]

clip_image002[6]

 

5- Send and Receive Connectors

clip_image001[12]

clip_image002[8]

clip_image003

 

Lastly the Hybrid Configuration object…

Since remove-hybridconfiguration cmdlet is not supported to remove the hybrid configuration object from AD then we have no choice but to use ADSIEDIT tool to do so.

I will navigate to Configuration > Services > Microsoft Exchange > First Organization > Delete “CN=Hybrid Configuration”

 

image

 

image

image

 

Restart MSExchangeServicehost

clip_image001[14]

 

image

 

Now I will try again to prepare AD schema for Exchange 2013 but I got a different error

clip_image001[16]

Extending Active Directory schema FAILED

The following error was generated when “$error.Clear);

install-ExchangeSchema -LdapFileName ($roleInstallPath + “SetupData”+$

RoleSchemaPrefix + “schema0.ldf”)” was run: “Microsoft.Exchange.Configuration.Tasks.TaskException: There was an error while running ‘ldifde.exe’ to import the schema file ‘C:WindowsTempExchangeSetupSetupDataPostExchange2003_schema0.ldf’. The error code is: 8224. More details can be found in the error file: ‘C:UsersAdministrator.DEMOTESASAppDataLocalTemp2ldif.err’at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)at Microsoft.Exchange.Management.Deployment.InstallExchangeSchema.ImportSchem

aFile(String schemaMasterServer, String schemaFilePath, String macroName, StringmacroValue, WriteVerboseDelegate writeVerbose)at Microsoft.Exchange.Management.Deployment.InstallExchangeSchema.InternalPro

cessRecord()at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)”.The Exchange Server setup operation didn’t complete. More details can be found

in ExchangeSetup.log located in the <SystemDrive>:ExchangeSetupLogs folder.

 

Checking the ldif.err file mentioned in the error above it seems that Exchange is complaining because the changes of the AD schema is not being replicated to the other AD partners which is true since I have another additional dC that’s turned off.

clip_image001[19]

After turning on the other DC we’ll see what happens

The other DC had another issue as I have turned it off for long time and it was not syncing due to expired Tomb stone life so I had to fix this issue as well and I have published it in a different article.

Please click here to see how the replication issue was fixed.

 

Issue has been fixed

clip_image001[21]

 

clip_image002[10]

 

Hope someone finds this useful Winking smile

Exchange 2007/2010 Doesn’t show new DC (2012) servers after adding them as additional DCs

 

Symptoms

In an environment where one DC exist after adding Windows 2012 R2 Servers as additional servers, Exchange 2007 doesn’t show the new servers although they also hold GC.

 

Research

image

 

Research:

To locate the problem you should search the event ID (2080) which shows the populated DCs and the permissions allowed on Exchange servers

In the below screenshot, the SACL right was not provided to the new DCs due to GPO problem.

 

image

 

After checking sites, Replication, all is healthy and no issue with it.

3 servers (Two 2012 servers) and one DC 2003 Server

Exchange 2010 SP3 servers.

image

 

Reason:

The Default Domain Controllers Policy was not linked to the Domain Controllers OU.

image

 

image

 

image

 

Resolution:

After Linking the Domain Controllers OU to the Default Controllers policy, the SACL permission was provided without any issue.

image

 

Now Exchange is reporting healthy and can read the new DCs which allow us to demote the old DCs

image

After removing the old DC

image

 

 

Hope you find this useful Winking smile

ref:

http://blogs.technet.com/b/richardroddy/archive/2010/06/16/msexchange-adaccess-dsaccess-errors-and-the-manage-auditing-and-security-right.aspx

Active Directory Migration 2003 to 2012 R2

Current Environment

Microsoft Active Directory 2003 with Exchange 2010

 

Requirements for migration

1- New Windows Server 2012 R2 server to be prepared. 

2- Join the new Server to the old Dc.

 

 

Installing DC role

clip_image001

clip_image002

clip_image003

clip_image004

clip_image005

clip_image006

clip_image007

clip_image008

clip_image009

clip_image010

 

to migrate the AD Operations Master roles.  The simplest way to move these roles is via PowerShell.  On Server 2012 AD PowerShell modules, this can be done from anywhere.  Simply run the following command to view you current configuration, and change them:

 

PS C:> netdom query FSMO

 

clip_image011

 

Move-ADDirectoryServerOperationMasterRole -identity “dc1” -OperationMasterRole 0,1,2,3,4

 

clip_image012

 

clip_image013

 

Making sure that all the roles have been migrated :

 

netdom query FSMO

 

clip_image014

clip_image015

Adding second DC

clip_image016

Reference:

https://technet.microsoft.com/en-us/library/ee617229.aspx?f=255&MSPPError=-2147217396

Source: Default-First-Site-NameDC2

******* 1 CONSECUTIVE FAILURES since 2015-03-23 19:37:45

Last error: 8524 (0x214c):

The DSA operation is unable to proceed because of a DNS lookup failu

re.

Naming Context: CN=Configuration,DC=kibtek,DC=local

Source: Default-First-Site-NameDC2

******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Schema,CN=Configuration,DC=kibtek,DC=local

Source: Default-First-Site-NameDC2

******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: DC=kibtek,DC=local

Source: Default-First-Site-NameDC2

******* WARNING: KCC could not add this REPLICA LINK due to error.

clip_image017

Resolution:

After joining new DC you will see this error until the replication with the PDC and schema master is finished.

Use the repadmin /syncall to hasten the sync process.

clip_image018

After we changed the PDC and Schema master role server to the new DC and shut down the old DC for test. On Exchange 2010 server you might get the following error

Exchange Console

clip_image019

Current deployment

  1. Exchange 2010
  2. New DC 2012 R2 with another Additional DC installed newly.
  3. Two DC 2008R2 but have been shut down for testing.

Problem:

After you shutdown or demote the old PDC or Schema master Demote Domain Controller role, Microsoft Exchange Management Console fails to retrieve any Exchange information with error message “An error caused a change in the current set of Active Directory Server settings. Restart Exchange Management console.”

Cause

Microsoft Exchange management console caches the data in the user’s profile for quick access, So whenever you try to open EMC from an existing Exchange admin profile you will get the same error.

Resolution:

Navigate to the following folder and delete the Exchange Management Console file.

{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}userprofile{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}appdataroamingMicrosoftMMCExchange Management Console

clip_image020

Close EMC and reopen it and you should be done.

 

Hope this was useful Smile 

del.icio.us Tags: ,

Domain Controller Cross Forest migration Part 3 (ADMT Installation)

ADMT 3.2 installation

 

Requirements

  1. SQL express/full 2008 sp2
  2. Windows 2012/R2 / Windows 2008 R2 for ADMT
  3. Install PES on Source DC for Migrating Passwords

http://blogs.technet.com/b/askds/archive/2010/07/09/admt-3-2-common-installation-issues.aspx

  • The server where you install ADMT can run any supported version of Windows Server, including Windows Server 2012 R2 and Windows Server 2012.
  • The source and destination domain controllers must be writeable, but they can run any supported version of Windows Server with a user interface (not Server Core), including Windows Server 2012 R2 and Windows Server 2012.
  • The source and destination domains must be at Windows Server 2003 domain functional level or higher.
  • The computers that can be migrated can run any supported version of Windows, including Windows 8.1.
  • You can use any version of SQL Server for the ADMT database.

From <https://technet.microsoft.com/en-us/library/active-directory-migration-tool-versions-and-supported-environments(v=ws.10).aspx>

 

ADMT user permissions:

image

From <https://social.technet.microsoft.com/Forums/windowsserver/en-US/fe44cdd4-ef11-4d73-801d-f37939d756bd/minimum-permissions-needed-for-admt-32-when-doing-an-interforest-migration-with-sid-history?forum=winserverMigration>

 

ADMT Migration Account

The account you run ADMT under will need to have administrative rights in both the source and destination domain. You may decide to create a user specifically for the ADMT Migration, or you may use an existing user e.g. the default administrator account. I will create a user called ADMT and assign this user the correct permissions. This is the account we will use for the entire migration.

It is recommended that you make the user account in the destination domain and make it a member of the domain administrators group.

destination Domain:

clip_image001

 

In the source domain add the same user to the builtin administrators group (you will be unable to add it to the domain administrators group).

Source Domain:

 

clip_image002

 

Installing ADMT

You should install ADMT and SQL onto a member server in the destination forest. Use the ADMT service account explained in the previous post to install SQL and ADMT.

ADMT requires a preconfigured instance of SQL Server for its underlying data store, so we’ll go ahead and install SQL 2008 SP1 Express on ADMT.contoso.com

 

Installing SQL Express 2008 SP2

SQL Express download here: https://www.microsoft.com/en-us/download/details.aspx?id=30438

clip_image003

clip_image004

clip_image005

clip_image006

Cause

This error is purely within SQL Express 2008 and is not really to do with ADMT 3.2. The issue is fixed in “Cumulative update package 4 for SQL Server 2008”.

Unhelpfully, this error is identified in KB975055 as being only for Windows 7 and that it was fixed by SP1 – both incorrect. The issue does affect Win2008 R2 and is only fixed by the cumulative update.

Resolution

Before installing SQL Server Express 2008 with SP1 (which will fail), first install:

Cumulative update package 4 for SQL Server 2008 

http://support.microsoft.com/kb/963036

clip_image007

clip_image008

clip_image009

clip_image010

clip_image011

clip_image012

clip_image013

clip_image014

Set an account for the SQL service to run under (use your ADMT Service Account).

clip_image015

Set a SQL administrator, choose the user account you plan to run ADMT under- be aware that this user account will need to have local administrative rights in the source domain (this will be discussed further in the series).

clip_image016

clip_image017

Download ADMT 3.2

https://onedrive.live.com/redir?resid=82488EABA4ACDB15!33497&authkey=!AF3kLtU8fl2_B0I&ithint=file{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}2cexe

Installing ADMT

For this series I will be using ADMT 3.2, which is the supported version for Server 2008 R2. Use ADMT 3.1 for installation on a Server 2008 non-R2 server, or ADMT 3.0 for Server 2003. If you need to migration a Server 2000 Domain, you will need to use ADMT version 3.1 or earlier.

Update Junes 2014 – ADMT 3.2 now supports Windows Server 2012 / 2012 R2.

clip_image018

clip_image019

clip_image020

clip_image021

clip_image022

clip_image023

clip_image024

clip_image025

 

 

Hope this helps, please stay tuned for the next part. Winking smile 

 

Domain Controller Cross Forest migration Part 2

Current environment on the LAB.com DC

  1. Additional DC2
  2. SCVMM
  3. SCVMM SQL
  4. Exchange
  5. SCMM
  6. SCMM SQL

Computers

clip_image001[7]

 

Migration plan

AD 2012 R2 (LAB.com) to (Contoso.com) 2012 R2.

Users

 

clip_image002[6]

 

In the second part of this series (DC cross forest migration) I will demonstrate some major required steps for the migration from the old DC (lab.com) to the new DC (Contoso.com)

NOTE:

SQL Servers and their applications can’t be migrated due to SQL permissions and Schema mismatch.

 

Requirements are :

Destination DC Forest Function and domain function level must be set to at least 2008 R2 for ADMT3.2 to work

 

clip_image002[4]

 

And a health check must be performed on the FSMO roles to make sure everything is functioning properly on the Source DC..  PDC, SchemaMaster..etc

The checks I will perform are

  1. Check replication (In case there’s more than one DC In the source forest).
  2. DC health (DCDiag tool)
  3. Check the reachability of the PDC.

 

Netdom query FSMO ( this command will show you which DC in the source forest holds the roles exactly)

 

clip_image001[5]

 

1- For Checking replication you can use the repadmin command line which checks replication between sites, DCS and reports any errors in between. in case you have one server in pace the following outcome should be printed for you.

Repadmin.exe helps administrators diagnose Active Directory replication problems between domain controllers running Microsoft Windows operating systems.

https://technet.microsoft.com/en-us/library/cc770963.aspx

 

image

 

2- Check DC health using DCDIAG tool

Analyzes the state of domain controllers in a forest or enterprise and reports any problems to help in troubleshooting

https://technet.microsoft.com/en-us/library/cc731968.aspx

as they are multiple types of tests that can be applied with dcdiag depending on the parameter used. I will start with the DNS.

image

 

If the DNS is healthy then it should show as following. and we can continue to the next test.

image

For an extensive test, you can use the parameter /v along with this sign >c:dcdiag.txt to export the test to a file and look at it line by line.

image

 

If everything sounds good and healthy we shall move on to the next step which is DNS configuration


DNS Configuration

Preparation:

  1. DNS replication between both domains
  2. Installing Windows 2008 R2 for ADMT 3.2
  3. Setting up domain trust between forests.

 

 

  1. DNS replication between the source and target domain

In order for the trust to be created between both forests, you either have to create a conditional forwarders that will copy the source zones to the destination DNS server and vice versa or you can create a secondary forwarder zone in destination DC for the source DC and vice versa.

In my case I will go for creating a secondary zone and to do this I will go to each DNS server and allow Zone to be transferred.

Note:

You can include only the IPs of the Source and Destination servers in the zone transfer and any additional DNS servers.

clip_image003[7]

 

Now I a have created a secondary zone DNS and trying to resolve FQDNs from the source server as in the below snapshot.

 

clip_image004[7]

 

Same will be done on the destination server.

 

clip_image005[7]

 

Checking Name Resolution for both domains:

 

clip_image006[7]

 

Once the nslookup works as expected from both servers then we’ll ahead with creating forest trust between both DCs.




Creating Forest trust between Source and Destination Domain.

NOTE:

In order for the trust to be created between both source and destination domains the PDC on the Destination Domain must be available.

 

1. Open the Active Directory Domains and Trusts, right click on the domain and click properties.

 

clip_image011[4]

clip_image012[4]

clip_image013[4]

clip_image014[4]

clip_image015[4]

clip_image016[4]

clip_image017[4]

clip_image018[4]

clip_image019[4]

clip_image020[4]

clip_image021[4]

clip_image022[4]

clip_image023[4]

clip_image024[4]

 

We will have to validate trust after creating it to make sure that trust in both ways are validated.

 

clip_image025[4]

 

clip_image026[4]

 

clip_image027[4]

 

Now since trust is created and already validated both ways, we’ll have to add a GPO policy to update all clients with the new Domain name in the DNS suffix search list to resolve netbios names.


Updating DNS Suffix Search list:

 

DNS suffix search list:

In order to add the source and destination domains suffix to the dns suffix search list we will have to open GPO on the destination Domain (Contoso.com)

 

clip_image028[4]

 

On the target domain (contoso.com) we’ll have to open GPO .

Right Click on default domain policy / Edit

 

clip_image029[4]

Go to (Computer Configuration Policies Administrative Templates Network DNS client

Double click on the DNS Suffix Search list to open it and enable it.

clip_image031[4]

image

Click ok and apply the police and see how it should show in the report.

clip_image033[4]

 

Once this is done and policy is applied among all clients you should have no problem and it should show first on the DC where you applied the policy.

 

image

 

Hope you find this helpful and stay tuned for the next part. Winking smile 

 

del.icio.us Tags: ,,

Domain Controller Cross Forest migration Part 1

In this series of articles I will demonstrate the Cross forest migration for Microsoft Windows Active directory 2012 R2.

 

Before starting any step, I will have to do a revision for the current environment and check what is there, what can be migrated and what can not be.

 

Revisions:

  1. Check if the environment is using an old cryptographic algorithms that’s not supported during the migration .e.g. (SHA-1 1024bit Certification authorities).
  2. Notice that Group Policy user profile folder redirection might have a bug from SCCM. To fix this the SCCM needs to be checked for one option needs to be disabled

Under the SCCM Configuration manager,

– Select Administration

– Select Client Settings

– Pull up PROPERTIES of Default Client Settings configuration and click on Compliance Settings

 

From <http://blogs.technet.com/b/askds/archive/2013/12/13/an-update-for-admt-and-a-few-other-things-too.aspx>

 

– Enable User Data and Profiles mentioned above is the setting which drives the control of Folder Redirection and Remote User Profiles.
The above configuration by Default is set to NO. Once enabled (set to YES), it passes the control of Folder Redirection, Offline Files, and Remote User Profiles to WMI and stores this configuration under the registry path: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUserStateUserStateTechnologiesConfigurationControls

  1. TCP/IP crashes and errors: Hotfix released to correct a crash in TCP/IP.

 

Ref:

http://blogs.technet.com/b/askds/archive/2013/12/13/an-update-for-admt-and-a-few-other-things-too.aspx

 

Hardware Requirements

  1. Windows 2008 R2 DC on the destination forest.
  2. Windows 2012 R2 ADMT and SQL express 2008 R2 or 2012 R2 express or full.

Reference:

https://support.microsoft.com/en-us/kb/2753560

 

Software Requirements

1- Rights Management Services Analyzer Tool

 

From <http://www.microsoft.com/en-us/download/details.aspx?id=46437>

RMS Analyzer provides the following features:

• Support for Azure RMS and AD RMS diagnostics

• Prerequisite checks for Azure RMS integration (such as any required hotfixes, registry key settings, Microsoft Online Sign-In Assistant)

• Ability to collect trace logs to capture real-time problems

• Diagnostics and remediation for Office 2013 and Office 2010

• Basic diagnostics for federation services

• Group membership check, based on groups and policy templates

• Display of your RMS configuration settings and verification tests to validate service health for RMS

• Ability to monitor multiple servers and find all RMS servers in trusted forests

By installing and using the software you accept the License terms which are located in the zip folder download. If you do not accept the terms, do not install or use the software.

2- Password Export Server (PES) – x64

http://www.microsoft.com/en-us/download/details.aspx?id=46437

 

3- Active Directory Migration Tool (ADMT) QFE – x86

https://connect.microsoft.com/site1164/content/content.aspx?ContentID=30561&IsDraft=False>

 

I will publish the next parts as soon as I am done with them. stay tuned Winking smile  

 

Upgrade Microsoft Domain Controller 2008 R2 to DC 2012 R2 with Exchange 2010 in the current environment.


Upgrade Microsoft Domain Controller 2008 R2 to DC 2012 R2 with Exchange 2010 in the current environment.

Prerequisites:
1- Windows 2012 R2 fully patches
2- New Windows 2012 R2 server should be joined to the Domain controller 2008r2

After you get all the prerequisites ready, start the Server manager and click on Add roles then add the ADDS role and follow the following instructions
Install the role and the n configure it as following
clip_image001
Add it to the existing DC
clip_image002

clip_image003
clip_image004
clip_image005
clip_image006
clip_image007
clip_image008
clip_image009
clip_image010
to migrate the AD Operations Master roles.  The simplest way to move these roles is via PowerShell.  On Server 2012 AD PowerShell modules, this can be done from anywhere.  Simply run the following command to view you current configuration, and change them:
PS C:> netdom query FSMO
clip_image011
Move-ADDirectoryServerOperationMasterRole -identity “dc1” -OperationMasterRole 0,1,2,3,4
clip_image012
clip_image013
Making sure that all the roles have been migrated :
netdom query FSMO
clip_image014
clip_image015
Adding second DC
clip_image016
Reference:
https://technet.microsoft.com/en-us/library/ee617229.aspx?f=255&MSPPError=-2147217396
Source: Default-First-Site-NameDC2
******* 1 CONSECUTIVE FAILURES since 2015-03-23 19:37:45
Last error: 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failu
re.
Naming Context: CN=Configuration,DC=kibtek,DC=local
Source: Default-First-Site-NameDC2
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: CN=Schema,CN=Configuration,DC=kibtek,DC=local
Source: Default-First-Site-NameDC2
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=kibtek,DC=local
Source: Default-First-Site-NameDC2
******* WARNING: KCC could not add this REPLICA LINK due to error.
clip_image017
Resolution:
After joining new DC you will see this error until the replication with the PDC and schema master is finished.
Use the repadmin /syncall to hasten the sync process.
clip_image018
After we changed the PDC and Schema master role server to the new DC and shut down the old DC for test. On Exchange 2010 server you might get the following error
Exchange Console
clip_image019
Current deployment

  1. Exchange 2010
  2. New DC 2012 R2 with another Additional DC installed newly.
  3. Two DC 2008R2 but have been shut down for testing.

Problem:
After you shutdown or demote the old PDC or Schema master Demote Domain Controller role, Microsoft Exchange Management Console fails to retrieve any Exchange information with error message “An error caused a change in the current set of Active Directory Server settings. Restart Exchange Management console.”
Cause
Microsoft Exchange management console caches the data in the user’s profile for quick access, So whenever you try to open EMC from an existing Exchange admin profile you will get the same error.
Resolution:
Navigate to the following folder and delete the Exchange Management Console file.
{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}userprofile{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}appdataroamingMicrosoftMMCExchange Management Console
clip_image020

Hope this was useful Winking smile

Change Password Policy for AD and domain users

Change Password Policy for AD and domain users

To change the password policy we’ll have first to open Group policy management which is located in “Administrative Tools” on your DC

Right click on “Default Domain Policy” in order to change the password policy for all users within a domain.
This will open the Group Policy Management editor as you can see below where you will have to navigate to “Computer configuration -> Security Settings -> Password Policy” and there you can disable the password complexity, adjust it or change any other settings.


Next when the Group policy opens up the configuration I will go to “Account Policies” and disable the “Password must meet complexity requirements” since this is what I simply want do in my case.


After changing the policy you will need to force updating the policy on all the domain joined clients by using the command line GPupdate /force


When this is finished, all clients must be restarted in order for the group policy change to take effect.

Prepare Active Directory Domain Service with 2012 R2 Powershell Script

If you’re planning to Install Active directory on multiple DCs for backup, you can speed up this process by using the following script which is provided by Microsoft. but you’ll have to copy and paste it in notepad and save it in .ps1 extension after editing the Domain Name and Domain Netbios name.


You may also wanna change the forest mode to match the one in your environment if you already have an old DC. 


# Windows PowerShell script for AD DS Deployment
#

Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath “C:WindowsNTDS” `
-DomainMode “Win2012” `
-DomainName “moh10ly.com” `
-DomainNetbiosName “Moh10ly” `
-ForestMode “Win2012” `
-InstallDns:$true `
-LogPath “C:WindowsNTDS” `
-NoRebootOnCompletion:$false `
-SysvolPath “C:WindowsSYSVOL” `
-Force:$true

Note: If you want to have a different Computer name, you will need to change that manually before you start the process below and restart after changing the computer name.
You will need to install the AD Domain Service management tools before you are able to run the powershell

Install-windowsfeature -name AD-Domain-Services –IncludeManagementTools

clip_image001

When the management tools are installed you can drag and drop the powershell file to powershell window and press Enter and as soon as you do that it will ask you for the SafeModeADministratorPassword.

clip_image002

After you press Enter it will start the installation process

clip_image003

When finished it will let you know that server is going to be restarted automatically.

clip_image004

After restarting the server, this is how the Full computer name became.

clip_image005

del.icio.us Tags: ,,