AD & DC

Post your questions, comments, feedbacks and suggestions

Contact a consultant

[yahoobanner240.htm]

AD communication, including replication, fails on multihomed domain controllers

Cause: network adapters on the multihomed domain controllers are registering both the inside and outside Internet Protocol (IP) addresses with the DNS server. Replication operations require multiple lookup requests of SRV records. In this case, half of the DNS lookup requests return an IP address that cannot be contacted, and the replication operation fails.

Can I rename Windows 2003 DC

If you have a Windows 2003 DC, you can use the Netdom tool to rename the DC. The Netdom provide a secure and supported methodology to rename one or more domains. You can find the tool from the Windows 2003 installation CD-ROM

Common Active Directory Issues

1. Incorrect DNS configuration.
2. Incorrect network configuration.
3. Difficulties when you upgrade from Microsoft Windows NT.

Failed to modify the necessary properties for the machine account

Symptom: When you run Dcpromo to create a replica domain controller, you may receive the following error message: Failed to modify the necessary properties for the machine account. Access is denied.

Cause: 1. The account that is used for the promotion operation may not been assigned the "Delegation Privilege" right.
2. One of the operations that takes place during the promotion of a replica domain controller is the modification of the UserAccountControl attribute for the computer you are promoting.
3. When one or more domain controllers are on a Windows 2000 server that is using NAT; and it can be caused by the H.323/Lightweight LDAP proxy service.

For consultants, please refer to case 110804RL

How to check AD DNS Registration

You should have four folders with the following names under DNS forward lookup zones are present when DNS is correctly registering the Active Directory DNS records. These folders are labeled:
_msdcs
_sites
_tcp
_udp

How to check DC replication status

To check DC replication status, go to event logs for NTFRS (File Replication Service) It will tell you when the last synch was.

How to Enable or Disable a Global Catalog (GC)

Open to Administrative Tools>Active Directory Sites and Services>Sites, and then double-click the domain controller you want to work with in the Server folder for your desired site: Right-click NTDS Settings>Properties. Make a change accordingly.

WARNING: Do not turn on this option unless you are certain it will provide value in your deployment. For this option to be useful, your deployment must have multiple domains, and even then, only one global catalog is (typically) useful in each site.

How to install/remove AD/DC

To install/remove AD/DC, use dcpromo command.

How to repopulate AD DNS entries

Manually repopulate the Active Directory DNS entries. You can use the Windows 2000 Netdiag tool to repopulate the Active Directory DNS entries. Netdiag is included with the Windows 2000 Support tools. At a command prompt, type netdiag /fix.

This domain controller holds the last replica of the following application directory partitions

Symptoms: When you demote a DC by using the Active Dcpromo, you may receive the following error message: This domain controller holds the last replica of the following application directory partitions:
DC=MSTAPI,DC=yourdomain,DC=com

Resolutions: Try NTDSUTIL, Tapicfg.exe and dcpromo /forceremoval. Refer to case 082604JH.

What will happen when demoting a DC

When a domain controller is demoted, if it is not the last domain controller in the domain, it performs a final replication and then transfers the roles to another domain controller. If the domain controller is a global catalog, that role is not transferred to another domain controller. In this case, you must manually select the check box in Active Directory Sites and Services Manager for another domain controller to take over the role.