Posts Tagged ‘domain controller’

Decommission problem in AD

January 30th, 2017 No comments

In long time I was asked to decommission one domain controller. It’s kinda straightforward process. But, yes again, I had a problem. When decommission process started I received error stated:”The operation failed because: Active Directory Domain Services could not configure the computer account DC_ACCOUNT$ on the remote Active Directory Domain Controller DC2_ACCOUNT$: “Access Denied.””.



I have checked my account and I was domain admin. My rights were alright.

Error “Access Denied” was interesting. Problem was checkbox called “Protect object from accidental deletion” on domain controller object which denied system to delete domain controller object:


To see this option you need to enable Advanced Features in Active Directory Users and Computers (dsa.msa) console.

Have a nice day,

Broken ForestPrep

March 19th, 2014 1 comment

Friend of mine tried to promote Windows Server 2012 into Windows Server 2003 SBS environment. He had installed Windows Server 2012 Server. He also installed role Active Directory Domain Services. When he tried to promote new installed Windows Server 2012 into existing SBS domain he received following error:

Error was generated while Windows Server 2012 tried to do preparation of AD forest. So I have tried to do it using command line:

So same error (Adprep could not retrieve data from the server through Windows Managment Instrumentation WMI). Some problem with WMI on existing domain controller. I have tried to rebuild WMI from scratch using this article. No luck. Message saying “Access is denied” was not true, because account used to run setup.exe /forestprep was Enterprise, Domain and Schema Admin. When I read this article I found out that DCOM has to be enabled and accessible when doing domain controller promotion. So I looked into configuration of old domain controller following way:

Run command dcomcnfg.exe

Browse down to Component Services -> Computers -> My Computer. Right click and select Properties. I found that DCOM was disabled:

So I enabled it with following settings:

…and I was able to promote Windows Server 2012 as a new domain controller. No more access or WMI errors.

This was really hard one to find out 🙂

Quickie: Remove Domain Controller role from Exchange 2007 server

January 29th, 2013 No comments

Last night I removed Domain Controller Role from Exchange 2007 server and we had problem in the morning with Exchange Outlook Web Access (OWA). We couldn’t log in at all. Symptomps:

  • Form based authentification was enabled, but Basic was proposed to clients instead
  • When users logged in they received 440 Login Timeout error

After couple minutes of googling I found this article which solved problem.

IMHO when computer was demoted from domain controller role it created local SAM database and didn’t use domain created accounts IUSR_ComputerName and IWAM_ComputerName.


DNS records for domain controller

January 7th, 2013 No comments

I always was wondering if there is any way to determine all DNS records NetLogon service registers in DNS server. This record list is located at %systemroot%\\system32\\config\\netlogon.dns.


_ldap._tcp.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_ldap._tcp.Site1._sites.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_ldap._tcp.gc._msdcs.domain.local. 600 IN SRV 0 100 3268 SERVER-DC1.domain.local.
_ldap._tcp.Site1._sites.gc._msdcs.domain.local. 600 IN SRV 0 100 3268 SERVER-DC1.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
bcb148b0-c836-4847-bd55-3d3991821f76._msdcs.domain.local. 600 IN CNAME SERVER-DC1.domain.local.
_ldap._tcp.dc._msdcs.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_ldap._tcp.Site1._sites.dc._msdcs.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_gc._tcp.domain.local. 600 IN SRV 0 100 3268 SERVER-DC1.domain.local.
_gc._tcp.Site1._sites.domain.local. 600 IN SRV 0 100 3268 SERVER-DC1.domain.local.
_ldap._tcp.ForestDnsZones.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_ldap._tcp.Site1._sites.ForestDnsZones.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_ldap._tcp.DomainDnsZones.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_ldap._tcp.Site1._sites.DomainDnsZones.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_ldap._tcp.pdc._msdcs.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
domain.local. 600 IN A
gc._msdcs.domain.local. 600 IN A
ForestDnsZones.domain.local. 600 IN A
DomainDnsZones.domain.local. 600 IN A
_kerberos._tcp.dc._msdcs.domain.local. 600 IN SRV 0 100 88 SERVER-DC1.domain.local.
_kerberos._tcp.Site1._sites.dc._msdcs.domain.local. 600 IN SRV 0 100 88 SERVER-DC1.domain.local.
_kerberos._tcp.domain.local. 600 IN SRV 0 100 88 SERVER-DC1.domain.local.
_kerberos._tcp.Site1._sites.domain.local. 600 IN SRV 0 100 88 SERVER-DC1.domain.local.
_kerberos._udp.domain.local. 600 IN SRV 0 100 88 SERVER-DC1.domain.local.
_kpasswd._tcp.domain.local. 600 IN SRV 0 100 464 SERVER-DC1.domain.local.
_kpasswd._udp.domain.local. 600 IN SRV 0 100 464 SERVER-DC1.domain.local.


This list can be used to import all required DNS records into DNS servers that don’t support dynamic updates.


Exchange not seeing all domain controllers from AD

November 30th, 2012 No comments

I had to solve interesting problem today at one of our customer. Here is a short preview of customer’s environment:

AD Topology

Customer has following 5 sites:

  • Site1 – containing 1 DC
  • Site2 – containing 1 DC (one has PDC FSMO role)
  • Site3 – containing 2 DCs. Let’s call this central site.
  • Site4 – containing 2 DCs. This site represents one datacenter (datacenter 1)
  • Site5 – containing 2 DCs. This site represents one datacenter (datacenter 2)

All domain controllers are Global Catalogs. Replication was set manually. It’s configured to be in star topology with median in Site3. For each connection was defined newInter-Site Transport in AD Sites.

AD Topology

AD Topology

Replication works fine. Exchange servers are able to resolve all domain controler. I have checked this using DNS and also nltest.

Exchange Topology

There are four Exchange 2012 servers. Two are CAS/HUB servers put into CAS Array. CAS Servers and CAS Array IP addresses belong to Site4 IP Subnet. And two Mailbox server that are put into DAG. Both mailbox server and DAG IP addresses are in Site4. Problem is that one CAS/HUB and one Mailbox server are physically located in Site4 and one CAS/HUB and one Mailbox server are located physically in Site5. Between Site4 and Site5 are L2 networks for CAS/HUB and Mailbox server.

Exchange topology

Exchange topology

Everything works fine. All IP subnets are assigned to Site4 which means all Exchange servers use primary Global Catalog functionality from domain controller from Site4. Idea from network/security guys was to allow Exchange servers to use Global Catalog just from domain controllers located in datacenters – Site4 and Site5. So firewalls don’t let Exchange server to use Global Catalog from other domain controller besides those located in Site4 and Site5.


Problem appeared when domain controllers in Site4 went down. Exchange servers didn’t want to start and mount databases.

When we looked into Events we could see event 2080 which stated that Exchange AD Topology service sees just four domain controllers:

  • Two in-site domain controllers from same site IP subnet are in (Site4)
  • Two out-of-site domain controllers. Controllers only from central site Site3

Exchange didn’t use those out-of-site domain controllers, because firewalls blocked it – regarding network/security guys recomendations. Question was why exchange servers didn’t see and use other domain controllers? It sees and uses only those four domain controllers (two in same AD site and two from central site).

After couple of minutes discusing with my coleague we find out that Exchange copies AD topology and it uses domain controllers in following way:

  • Primary uses domain controllers in same site as Exchange services are located – in-site DC
  • Secondary uses only domain controller which are directly replicating with domain controllers from primary site  – out-of-site DC

My colleague tried to convince me to believe it’s good idea and Exchange tries to protect you from some problems. But I don’t see any point of Exchange not contacting all domain controllers and contacing only domain controllers in the site and contacting domain controlers which replicate with domain controllers in site. I don’t see a poing of Exchange not trying to connect to Global Catalogs in Site1, Site2 and Site5. So this is the way Exchange looks for Global Catalog servers by design.

Proof of problem 🙂

I’ve done couple testing scenarios.

Exchange servers in Site4

  • In-site DCs: DCs from Site4
  • Out-of-site DCs: DCs only from Site3

Exchange servers in Site5

  • In-site DCs: DCs from Site5
  • Out-of-site DCs: DCs only from Site3

Exchange servers in Site1

  • In-site DCs: DC from Site1
  • Out-of-site DCs: DCs only from Site3

Exchange servers in Site3

  • In-site DCs: DCs from Site3
  • Out-of-site DCs: all DCs from all sites

This is really proof of problem with Exchange locating DCs.



To solve this issue we could make two things:

  • Create new AD Site only for all Exchange IP Subnets and add two domain controllers into this new created AD Site. One DC would be located in physical location 1/datacenter 1 (with CAS1 and MBX1 servers) and other DC would be located in physical location 2/datacenter 2 (with CAS2 and MBX2 servers).
  • Create new AD Inter-site Transport between Site4 and Site5.

We decided to create new AD Inter-site Transport.

I still don’t understand why Exchange doesn’t use all domain controllers in AD domain as I would think it would 🙁

Exchange 2010 is still looking for Demoted Domain Controller

August 23rd, 2012 No comments

When I was checking events today at one of our customers I mentioned one weird event. It was:

Event 2070

Process MSExchangeMailboxReplication.exe () (PID=1388).  Exchange Active Directory Provider lost contact with domain controller OLD_DC_NAME.  Error was 0x51 (ServerDown) (Active directory response: The LDAP server is unavailable.).  Exchange Active Directory Provider will attempt to reconnect with this domain controller when it is reachable. 

Read more…

Quickie: Remove data in AD after unsuccessful domain controller demotion

August 23rd, 2012 No comments

Today my ex-colleague called me that Windows 2000 Active Directory domain, he is taking care of, is not fully functional. He mentioned that “primary” domain controller is dead and now domain has some problems.

I had to seize all FSMO roles to live Domain Controller using ntdsutils as mentioned at this Microsoft article:

I manually deleted dead domain controller’s information from Active Directory using following Microsoft article:

After checking events I found out that there was also Certification Authority on dead domain controller and I needed to clean up all Enterprise Domain Certification Autorhority information from Active Directory Domain using following Microsoft article:

PS: Don’t forget to put your account into all “administrative” groups: Domain Admins, Enterprise Admins and Schem Admins.

Allow users to logon on to Domain Controller

September 13th, 2011 3 comments

Once upon the time I was at customer which had all infrastructure servers (and also all domain controllers) in VMWare VM. He decided to have one more domain controller on physical server. Only server he could use was management server, which was full of management tools.

Read more…

Ako obnoviť SYSVOL zdieľanie na doménovom radiči

January 30th, 2009 No comments

Už pár krát sa mi stalo, že som vytvoril GPO politiku, respektíve starú GPO politiku som upravil a nemohol som sa dočakať replikácie na všetkých ostatnch doménových radičoch. Replikácia nikdy neprebehla, SYSVOL DFS link bol nejaký rozbitý. Takto sa stávalo, že klienti pri prihlásení do domény a overení sa voči doménovému radiču dostali starú verziu politiky alebo nedostali tú novú.

Read more…