 | jmmelkon on Robocopy ERROR 5 (0x00000005)… |
 | Jake on AGDLP (Accounts, Global groups… |
 | ShineOn on Robocopy ERROR 5 (0x00000005)… |
 | Lauren on Creating a Reverse Lookup Zone… |
 | thejas on Robocopy ERROR 5 (0x00000005)… |
Ignited RSS
How to verify if the WMI is working fine on the Server?
ANS: Open Command prompt in Administrator mode and run the below command:
winmgmt /verifyrepository
If the WMI is working fine, then you get message as WMI is consistent, or else you get the error code.
Below is the link for the Error code reference for WMI
Depended on the scope of error you need to troubleshoot further.
Alert: This source server failed to generate the changes
Description: This directory service failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send change requests to the directory service at the following network address.
Event ID: 1479
Active Directory Domain Services could not update the following object in the local Active Directory Domain Services database with changes received from the following source directory service. Active Directory Domain Services does not have enough database version store to apply the changes.
User Action
Restart this directory service. If this does not solve the problem, increase the size of the database version store. If you are populating the objects with a large number of values, or the size of the values is especially large, decrease the size of future changes.
Additional Data
Error value:
8573 The database is out of version store.
Resolution:
{MS has provided the resolution in this Link}
Note: Take Backup of Registry before changing
Registry Location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
You need to add the Registry value “EDB max ver pages” with 32 Bit DWord Decimal value as you need with reference below:
9600 = 152 MB
12800 = 202 MB
16000 = 252 MB
19200 = 302 MB
Reboot the Server once the changes have been done.
Check the Event viewer after restart; you need to get event 1394 in ADS Logs
This Alert occurs in 2008 R2 Servers
——————————————————————————
Alert: Active Directory cannot update object due to insufficient memory
Last modified by: System
Last modified time: 7/18/2013 1:02:10 PM
Alert description: Active Directory Domain Services could not update the following object in the local Active Directory Domain Services database with changes received from the following source directory service. Active Directory Domain Services does not have enough database version store to apply the changes.
User Action
Restart this directory service. If this does not solve the problem, increase the size of the database version store. If you are populating the objects with a large number of values, or the size of the values is especially large, decrease the size of future changes.
——————————————————————————-
Additional Data
Reboot will clear the version table but it does nothing to identify or resolve the core issue.
The version store has reached its maximum size because of unresponsive transaction. Updates to database are rejected until the long-running transaction is omitted or rolled back. TechNet suggested looking for event IDs-1022, 1069,623 and none of these event ids could be found in event viewer.
Resolution:
Below is the solution but it is your own risk to change registry setting.
Backup the Registry before Proceeding
“Please reboot the server”
Check in the Event Viewer for Event ID 1394 “All Problems preventing updates to the Active Directory Domain Services database have been cleared. New Updates to the Active Directory Domain Services database are succeeding. The Net Logon service has restarted”
You can find this event in “Directory Services” Log of the Domain Controller.
Summary: Group Policy application seems straightforward enough: Group Policy Objects (GPOs) are linked to organizational units (OUs); users and computers are in OUs. All the GPOs from a user’s OU hierarchy filter down to the user.
Things get more complicated, though, when you remember that GPOs can be linked to a domain and to sites—meaning you’ll have to open a whole new console to see what’s going on. You also have to consider local security policies, which exist solely on the client computer and are applied before any domain-based policies arrive. Throw in options such as Block Policy Inheritance, No Override, and loopback processing, and it’s no wonder why there’s such a robust market for third-party GPO tools. However, with some patience and a methodology, you can do quite a bit of quality troubleshooting on your own.
Start from the Scratch
Too many administrators try to start at the top, working their way down the hierarchy of GPOs and figuring out which ones apply. That method is time-consuming, error-prone, and just plain boring. It’s a lot easier to start at the bottom—the client—and work your way up the tree. Windows XP’s Gpresult tool, for example, is a great troubleshooting tool. Run from the command line, it will tell you which groups the current user is a member of (which can affect GPO application), and give you a list of every GPO that is currently affecting the user. You’ll also see the last time that GPOs were applied to the computer. What Gpresult is displaying is called resultant set of policy (RSOP). It sorts through all the blocked inheritance, no overrides, and conflicting policies to sort out exactly which policies are being applied.
By default, Gpresult doesn’t show you which individual policies are applied or what they are set to; because GPOs successively overwrite one another as they are applied, you can still be left with a troubleshooting task to figure out which of the GPOs listed is responsible for the settings you’re seeing. Fortunately, Gpresult has a “superverbose” mode, enabled by running
Gpresult /z
This mode not only displays which GPOs have been applied, but lists every single policy that’s enabled in each GPO, allowing you to see which GPO modified which setting, and which GPO finally won out in the end. Figure 36.1 shows a portion of Gpresult’s superverbose output. In this example, the GPO being applied is Local Group Policy, and you can see exactly which registry keys each setting is modifying.
Superverbose mode also breaks down the user and computer policies, allowing you to see every setting that is affecting the current users or their machines.
The FSMO role owners are stored in Active Directory in different locations depending on the role. The DN of the server holding the role is actually stored as the FSMO Role Owner attribute of various objects. For the Ignitedsoul.com domain, here are the containers that hold that attribute in the following order: PDC Role Owner, Infrastructure Master, RID Master, Schema Master, and Domain Naming Master:
LDAP://dc=Ignitedsoul,dc=com
LDAP://cn=Infrastructure,dc=Ignitedsoul,dc=com
LDAP://cn=RID Manager$,cn=System,dc=Ignitedsoul,dc=com
LDAP://cn=Schema,cn=Configuration,dc=Ignitedsoul,dc=com
LDAP://cn=Partitions,cn=Configuration,dc=Ignitedsoul,dc=com
The information in the attribute is stored as a DN, representing the NTDS Settings object of the domain controller that is the role owner. So, example contents for this attribute are:
CN=NTDS Settings, CN=MYSERVER1, CN=Servers, CN=My Site, CN=Sites,
CN=Configuration, DC=Ignitedsoul, DC=com
Issue:
– The Remote connection gets established but gets disconnected moments before you get the Desktop.
Symptoms:
– You are able to Ping the Server
– The Server seems to be fine when checked in Console.
– All the RDP Services seems to be fine.
– When trying to take Remote connection, the connection gets established, but closes automatically with an error.
– It asks to check the Network connections or the Remote desktop Services.
Resolution:
– The Main Culprit here is : rdpcorekmts.dll file in C:\Windows\System32 location
– All you need to do it replace this .dll file with same file in any working server.
– You need to rename the file to : rdpcorekmts.old
– You cannot rename the file directly as the Administrator too has only read permission on this file.
– First you need to take ownership of this file.
– Then you need to edit the security permissions and give full control for the Administrator or your account.
– Only then you can rename the file.
– Now copy the rdpcorekmts.dll file from any working server and paste in the System32 folder of the server with issue.
– This replacement resolves the issue, and you can take RDP of the Server normally.
Active Directory is made up of components that constitute its logical and physical structure. To administer Active Directory, we must understand the purpose of these components
Logical Structure: The logical structure of Active Directory provides methods for organizing network resources such as computers, printers, users and groups. It is made up of objects, organizational units, domains, domain trees, and forests.
1. Objects
The object is the most basic component of the logical structure. Object classes are template for the types of objects that can be created in Active Directory. Each object class is defined by a group of attribute. Attributes define the possible values that can be associated with an object. Each object has a unique combination of attribute values.
2. Organizational units
Organizational units are container objects that are used to group other objects in a manner that supports your administrative purposes. By grouping objects by organizational unit in a logical fashion, it becomes easier to locate and administer objects. We can also delegate the authority to administer an organizational unit. Organizational units can be nested in other organizational units. By nesting organizational units, we can further simplify the administration of objects.
3. Domains
Domains are the core functional units in the Active Directory logical structure. A domain is a collection of objects that share a common directory database, security policies, and security relationships with other domains. Domains provide the following three functions:
4. Domain Trees
Domains can be grouped together in hierarchical structures that are called trees. When a second domain is added to a tree, it becomes a child of the tree root domain. The domain to which a child domain is attached is called the parent domain. A child domain may in turn have its own child domain. The name of a child domain is combined with the name of its parent domain to form its own unique Domain Name System (DNS) name. In this manner, a tree has a contiguous namespace.
5. Forests
Forests are made up of one or more trees, although a single two-level tree is recommended for most organizations. A two-level tree is when all child domains are made children of the forest root domain to form one contiguous tree. The first domain in the forest is called the forest root domain, and the name of that domain is used to refer to the forest. A forest is a complete instance of Active Directory. By default, the information within Active Directory is shared only within the forest. In this way, the forest is a security boundary for the information contained in the instance of Active Directory.
Physical Structure: The physical structure of Active Directory models the physical structure of the network, and is made up of domain controllers and sites. The physical structure of Active Directory defines where and when replication and logon traffic occur, and is used to and manage network traffic. The physical structure enables you to optimize network traffic by determining when and where replication and logon traffic occur. The elements of the Active Directory physical structure are:
1. Domain controllers Domain controller performs storage and replication functions. A domain controller can support only one domain. A domain can have one or more domain controllers.
2. Active Directory sites Created mainly to optimize replication traffic and to enable users to connect domain controllers by using reliable, high speed connection. A site is a group of well-connected computers. When sites are established, domain controllers within a single site communicate frequently. This communication minimizes the latency within the site. Latency is the time required for a change that is made on one domain controller to be replicated on other domain controllers. You create sites to optimize the use of bandwidth between separated domain controllers. There can be multiple domains in a single site and single site can have multiple sites.
Note: We use Logical structure to organize the network resources and Physical structure to manage the network traffic.
Active Directory enables a single sign-on, which makes the complex processes of authentication and authorization transparent to the user. A single sign-on is made up of authentication, which verifies the credentials of the connection attempt, and authorization, which verifies that the connection attempt is allowed. With a single sign-on, users do not have to manage multiple sets of credentials and can access the resources for which they are authorized without thinking about the processes that occur behind the scenes. However, as a systems engineer, we must understand how these processes work in order to troubleshoot the Active Directory structure.
The single sign-on process occurs as follows:
|
Record type |
Name |
Description |
| A | Address Record | Maps a hostname to an IP address |
| PTR | Pointer Record | Maps an IP address to a hostname |
| CNAME | Alias Record | Maps an alias to a hostname |
| MX | Mail Exchanger Record | Specifies a mail route for a domain |
| NS | Name Server Record | Specifies name servers for a given domain |
| SOA | Start of Authority Record | Contains administrative data about a zone, including the primary name server |
| SRV | Service Record | Maps a particular service (e.g., LDAP) to one or more hostnames |
One important resource record to note is the SRV record type. SRV records are used extensively by domain controllers and Active Directory clients to locate servers that have a particular service.
Ravindra Kulkarni
IgNiTeD SoUL 