Hi, Nick i have seen almost every major topic video you created to counter check on our technique and get various thing to keep for us. Thus i found your video very helpful in terms of detail explanation regarding every topic you made for those who are in the filed IT & Acting as Admin somewhere to cope at their end on a quick way. Overall provided info, clear voice and step you created relevant to topic are quite good. Keep providing more tips & tricks. Thanks
almost 5 years after you posted this video.... you have saved a life a and the job of this IT worker, jaja!! thanks a lot my friend, great video, all you did worked for me. I couldn´t demote gracefully, i had to forced it again and it finally got demoted. But besides that... all good!
Hey, thanks a lot for this great video , I have a question : why did you disabled the "Kerberos key distribution center" and restarted the DC in order to solve the demotion issue ? I mean this should do what ? or solve what exactly ?
Nice video and good info. What would be a use case for doing all these steps vs demoting and then starting with a fresh Windows Server installation? After all, if this machine had an AD/Kerberos problem once, something else deeper in the system could be corrupt. I would rather demote it as cleanly as possible and then join and promote a new server instance in its place. Should take all of 10 minutes in VMWare (minus Windows Update installation time)
Thank so much for your videos. But for my environments can't fixed. I still stuck “Creating the NTDS settings object” stage. additional domain can't create NTDS link on Primary DC. it was keep this process for ever without success. I tried to looking any solutions but still can't i hope here is can me if any one met this error or fixed it before thanks,
+batista Thank you ! Sure I will try to make more OTJ (On the Job scenarios). If you are interested in something you can always ask and I will try to answer with a video.
+NLB Solutions You could have pointed the DNS lookup of your first DC to the second DC on which DNS was working correctly. Also you should check the Event Viewer and check for the event ID 4000 under DNS in such scenarios. If event ID 4000 is registered, you can simply reset the secure channel for that DC and restart DNS. It works like a charm. While resetting the secure channel password you can simply use the following set of commands: net stop kdc (Stops KDC) klist purge (Flushes all Kerberos Tickets) netdom resetpwd /S:Server /ud:domain\admin /pd:* net start kdc By doing this, we can save the reboot cycles. whenever you get an error as "Target Principle Name is incorrect," you should try to reset the secure channel of that machine first (unless the PDC has its own secure channel messed up) As per me, Demoting a DC should be the last step, since many admins keep print servers, exchange servers etc etc on the DC itself. TIP: In order to force the connection objects in Dssite, you can run the command repadmin /kcc * Enjoy.
+Akshay Lodhi Your comment is on point. Actually I have tried all the steps above and I confirm that they can fix issues related to secure channel password. I appreciate and welcome such comments, thank you for that. And thank you for your support.
How long does it take for it to finish the replication? Mine has been stuck on "Creating the NTDS Settings object for this..." phase for quite some time now.
Hi thank you for your wonderful videos. I have a rather pressing but somewhat similar issue, but so far im unable to find a solution even on technet. I have 3 servers running, server1 is a domain controller, server2 has a fail-over cluster installed with a VM that replicate to server3. I have done planed fail-over before and the replication was working fine without a problem. But then After the project was over i didn't turn the machines on for at least 2 weeks. When i turned the machine back on. I am getting the following error message : DCOM was unable to communicate with the computer HyperV1.contoso.com using any of the configured protocols; requested by PID 1ec8 (C:\Windows\system32\ServerManager.exe). Can you help me understand what might be the problem here. Am i not suppose the turn these machines off? futhermore: When i check on server2 on the cluster, everything seems to be working just fine. Am i missing something here? Thanks a lot in advance
Hello, Please I have a question it's not regarding the video subject but, how did you got the display server informations on the wallpaper ??? Thanks'.
When I try to reset password with netdom resetpwd command it says: "The machine account password for the local machine could not be reset. the specified network name is no longer available. What can be wrong ?
dear all i had a Power problem with the main 2012 R2 AD DC and i had to do the recovery after i fix the power supply on it >>> now i had this problem .... (This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role) and the other one ... (The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 71 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected) ... nothing work on it any idea to get it back to work as a main domain controller
Hi NLB, i had MS tech replicate my Dcs , as soon as he rejoined 2013 exchange , he disabled the exachnge to start delviery services,now no emails ...can anybody help, thank you .
Excellent video, thank you...!!! Question: I am having a similar situation with 5 of my Server 2008 R2, each one located in different sites. The PDC has lost replication only with DC2. Users from D2 cannot see shared folders from D1 and visiversa. I have reset the secure channel using netdom resetpwd command from DC2 and check if that help to recover replication, but after a few minutes, the problem is back again, so, I believe my next step should be demotion/promotion, but, correct me if I am wrong, I have to demote my PDC to solve the problem even if DC3, 4, and 5 are having correct replication with my PDC or DC1?
Hi Nic you are great brb! You are excellent i liked your video i need your contact number please or email contacts i need to talk to you over the phone please ....Brb!!
Hi Chetan, if by "BDC" you mean Backup Domain Controller or Read-Only Domain Controller (RODC), replication is the same on both. With BDC/RODC you just have read-only copy of the Active Directory DB. You are not able to configure a Read-Write and Read-Only domain controller on same server.
I have reinstalled server 2012 OS and recreated DC with same name and ip after this clients getting 'trust relationship' error on login. please provide solution.
Hi Arif, is this the only Domain controller in the environment? The trust relationship could be lost when the secure channel to the domain controller is broken. There are few ways to fix this for example: 1. Resetting the computer accounts in AD. 2. Re-joining the computers to the domain.
Hi Miguel, thank you for the good question. Actually there are few things that can be achieved with netdom: 1 . Join a computer that runs Windows XP Professional, Windows Vista, or Windows 7 to a Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, or Windows NT 4.0 domain. 2. Manage computer accounts for domain member workstations and member servers. 3. Establish one-way or two-way trust relationships between domains. 4. Verify or reset the secure channel. 5. Manage trust relationships between domains. Reference - technet.microsoft.com/en-us/library/cc772217(v=ws.11).aspx
Hi MD, I would suggest to troubleshoot and find what is the problem with the domain controllers that are having replication issues. There are many builtin tools that can help you achieving this. If it is up to demoting, you will need to verify your configuration (FSMO, other Domain Controllers in domain) prior to demoting the server. Backup will always help of course, but restoring (if needed) is the tricky part.
No problem, MD. I am glad that you were able to find the problem. In more complex environments I would suggest checking the root cause of the problem, before demoting.
I there, I see you created 2 subnets, one in Class A address and other in Class C address. How do you make the machine communicate with eachother without a Router? I have created 2 VMs on a Hyper V on a Windows 10 machine, how can I make 2 machines communicate with eachother? I have created 2 separate Virtual Switch for both the machines.
Hi bro We facing issues few peoples account frequently locking I was troubleshoot clear temp,cookies,clear old password in credentials unintall Adobe reader and prefech file but same error persist Pls suggest me what can do ....
i would suggest login to PDC DC and go to eventviwers (go to run>>> type>>eventvwr) once it's open ppls go to securty log and filer with 4740 then will able to find the source of machine where your account is getting lockout.
I think there is mistake when you issue netdom resetpwd. /s (/server) is for another working DC which you want to send new computer account password for this DC being demoted. So, server name should be NLB-DC-02 not NLB-DC-01?
i would suggest login to PDC DC and go to eventviwers (go to run>>> type>>eventvwr) once it's open ppls go to securty log and filer with 4740 then will able to find the source of machine where your account is getting lockout.
Please help me !!!! replication folder don't work , I install DFS-N , DFS-R on server1 and server2 . the name space is good and it work , but replication not ?! what is the problem !!!!!
I don't trust a troubleshooter that don't use Event viewer. The Logging capability that Windows has makes it great tool to help in troubleshooting.. other than that all of what you shown in the video is basic and common and almost all normal engineers know it.
Hi Mohammed, I totally agree with you. Event Viewer is the tool when it comes to basic troubleshooting. Although this is common and everyone knows it, Microsoft are still keen on training their personnel.
C:\Users\Administrator>gpupdate /force Updating Policy... User Policy update has completed successfully. Computer policy could not be updated successfully. The following errors were enc ountered: The processing of Group Policy failed. Windows attempted to read the file \\myserver.com\SysVol\imyserver.com\Pol icies\{F90F7DAE-536B-46C6-AB9D-49B5F417A7D1}\gpt.ini from a domain controller an d was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of t he following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled. To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f rom the command line to access information about Group Policy results. can you please help me with this please ?
Hello Juan, is this error only on a single user or multiple? How many domain controllers do you have? I would advise you to look into the group policy object with GUID - {F90F7DAE-536B-46C6-AB9D-49B5F417A7D1}. There could be something wrong there. You can find the GUID of the GPOs under the Details tab in Group Policy Management. If the problem is on a single Domain Controller, there could be issues with the replication to that DC, check event viewer for clues. Good Luck!
Hi , Thanks for the reply , i have 2 DC's used to be 3 , this problem started when 1 of the dc in the cluster crashed , so now the 2 dc's which i have are not in the cluster , this policy is a domain base policy , the issue is coming on most of the pc's , do you think its a replication issue ? thanks a lot for your help
could you please speak a bit louder, It's difficult to hear your voice. Even after increasing volume to 100, its difficult to hear you. so please request you to speak a bit louder...
The error u r getting on additoional dc i am getting on primaary dc after transferring roles..... Old dc was 2008r2 and current. Dc is 2012 r2 ... In current dc sysvol is empty and group policy data is not replicating from old dc can you please guid me
Hi Uday, you can refer to the following article - support.microsoft.com/en-us/help/2958414/dfs-replication-how-to-troubleshoot-missing-sysvol-and-netlogon-shares
Hi, Nick i have seen almost every major topic video you created to counter check on our technique and get various thing to keep for us. Thus i found your video very helpful in terms of detail explanation regarding every topic you made for those who are in the filed IT & Acting as Admin somewhere to cope at their end on a quick way. Overall provided info, clear voice and step you created relevant to topic are quite good. Keep providing more tips & tricks. Thanks
almost 5 years after you posted this video.... you have saved a life a and the job of this IT worker, jaja!! thanks a lot my friend, great video, all you did worked for me. I couldn´t demote gracefully, i had to forced it again and it finally got demoted. But besides that... all good!
O my.....You are a life saver..I have been going crazy for about 2 days trying to replicate to my DR. Thank you.....
I am happy to see that my videos can help real life scenarios. Much appreciated !
Thanks so much for this video. It has helped me a lot to resolve conflicts between my two DCs
NLB perfect real time solution, Thanks its just perfect for me to understand.
+Souvik Roy thank you for your kind words.
Hey,
thanks a lot for this great video , I have a question : why did you disabled the "Kerberos key distribution center" and restarted the DC in order to solve the demotion issue ? I mean this should do what ? or solve what exactly ?
Howdy - Very good procedure. It played very well into a domain controller issue I had. Thank You very much!
for anyone facing this issue, usually it's caused by the loss of connectivity between PDC-ADC past the default tombstone attribute of 60 days.
Hello, thank you for this great video I'm sure it will help many many people. You have my support !
Thank you for the support!
This video has been so helpful, Thank you so much !
F*ck man! YOU just saved me tons of endless research on how to solve my issue. Thanks!!
thanks for your reply.
Some one asked me in an interview replication is done on primary server or backup server? but couldn't answer it
thanks for clear and simple explanation
Thank you NLB
Thanks for the video and it's very useful and good explanation
Thanks so much for this video. It has Save me
you are champ !!! its work
Did you check your network location? Looks like it reverted to Private or public, rather than Domain network, changing firewall state.
Your videos are AWESOME!!! THANK YOU!!!
Thank you John! Appreciate your support !
Anytime! !
Nice video and good info. What would be a use case for doing all these steps vs demoting and then starting with a fresh Windows Server installation? After all, if this machine had an AD/Kerberos problem once, something else deeper in the system could be corrupt. I would rather demote it as cleanly as possible and then join and promote a new server instance in its place. Should take all of 10 minutes in VMWare (minus Windows Update installation time)
great video, got me out of a sticky spot!
Happy I was able to help Lee! Thank you for the support.
Very helpful! Thanks.
How to troubleshoot error 58 showing for all DCs during repadmin /replsum
You Made my day...Thanks a lot ...
Thank you, Sony!
Hi thanks very much for this instructive video, helped me a lot.
great video keep it up NLB
Thank you Wetland!
Thank so much for your videos. But for my environments can't fixed. I still stuck “Creating the NTDS settings object” stage. additional domain can't create NTDS link on Primary DC. it was keep this process for ever without success. I tried to looking any solutions but still can't i hope here is can me if any one met this error or fixed it before thanks,
This was helpful, thank you
Will this procedure also work for Windows 2008 Server R2> Thanks!
excellent. Kindly create more real time scenarios..
+batista Thank you ! Sure I will try to make more OTJ (On the Job scenarios). If you are interested in something you can always ask and I will try to answer with a video.
+NLB Solutions
You could have pointed the DNS lookup of your first DC to the second DC on which DNS was working correctly.
Also you should check the Event Viewer and check for the event ID 4000 under DNS in such scenarios.
If event ID 4000 is registered, you can simply reset the secure channel for that DC and restart DNS. It works like a charm.
While resetting the secure channel password you can simply use the following set of commands:
net stop kdc (Stops KDC)
klist purge (Flushes all Kerberos Tickets)
netdom resetpwd /S:Server /ud:domain\admin /pd:*
net start kdc
By doing this, we can save the reboot cycles.
whenever you get an error as "Target Principle Name is incorrect," you should try to reset the secure channel of that machine first (unless the PDC has its own secure channel messed up)
As per me, Demoting a DC should be the last step, since many admins keep print servers, exchange servers etc etc on the DC itself.
TIP: In order to force the connection objects in Dssite, you can run the command repadmin /kcc *
Enjoy.
+Akshay Lodhi Your comment is on point. Actually I have tried all the steps above and I confirm that they can fix issues related to secure channel password. I appreciate and welcome such comments, thank you for that. And thank you for your support.
Why we are performing Metadata cleanup could you please explain
How long does it take for it to finish the replication? Mine has been stuck on "Creating the NTDS Settings object for this..." phase for quite some time now.
Hi thank you for your wonderful videos. I have a rather pressing but somewhat similar issue, but so far im unable to find a solution even on technet. I have 3 servers running, server1 is a domain controller, server2 has a fail-over cluster installed with a VM that replicate to server3. I have done planed fail-over before and the replication was working fine without a problem. But then After the project was over i didn't turn the machines on for at least 2 weeks. When i turned the machine back on. I am getting the following error message : DCOM was unable to communicate with the computer HyperV1.contoso.com using any of the configured protocols; requested by PID 1ec8 (C:\Windows\system32\ServerManager.exe). Can you help me understand what might be the problem here. Am i not suppose the turn these machines off? futhermore: When i check on server2 on the cluster, everything seems to be working just fine. Am i missing something here? Thanks a lot in advance
I have major issue. do offer remote support?
Thanks for the video. Will this same procedure work with Windows Server 2008 R2?
Hi, yes this is pretty much the same in Windows Server 2008 R2.
Hello, Please I have a question it's not regarding the video subject but, how did you got the display server informations on the wallpaper ???
Thanks'.
Get little tool called BigInfo
When I try to reset password with netdom resetpwd command it says: "The machine account password for the local machine could not be reset. the specified network name is no longer available. What can be wrong ?
Hi Wasshup , you can find this useful - support.microsoft.com/en-us/help/325850/how-to-use-netdom-exe-to-reset-machine-account-passwords-of-a-windows.
When Microsoft says "Enterprise level" it means held together with bootstraps
Thanks alot
Great Videos NLB. Can you please tell me where I can download 2012 Server to study !!
Thank you Trevor. You can download it from Microsoft Evaluation center - www.microsoft.com/en-us/evalcenter/
dear all i had a Power problem with the main 2012 R2 AD DC and i had to do the recovery after i fix the power supply on it >>> now i had this problem .... (This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role) and the other one ... (The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 71 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected) ... nothing work on it any idea to get it back to work as a main domain controller
Hi NLB, i had MS tech replicate my Dcs , as soon as he rejoined 2013 exchange , he disabled the exachnge to start delviery services,now no emails ...can anybody help, thank you .
could you make a video of how to fix a forward and reverse zone from an existing DNS thanks
Hi, mau agu. What are the issues that you experience with the zones?
Thanks for this vedio
Thank you for your support !
Excellent video, thank you...!!! Question: I am having a similar situation with 5 of my Server 2008 R2, each one located in different sites. The PDC has lost replication only with DC2. Users from D2 cannot see shared folders from D1 and visiversa. I have reset the secure channel using netdom resetpwd command from DC2 and check if that help to recover replication, but after a few minutes, the problem is back again, so, I believe my next step should be demotion/promotion, but, correct me if I am wrong, I have to demote my PDC to solve the problem even if DC3, 4, and 5 are having correct replication with my PDC or DC1?
I think my question was answered after watching your video again, so, never mind.
Hello Javier, apologies that I was not able to answer sooner. Glad you were able to resolve it!
Hi Nic you are great brb! You are excellent i liked your video i need your contact number please or email contacts i need to talk to you over the phone please ....Brb!!
Replication is done on primary or on BDC?
Is it possible have primary and BDC on same server? If yes then will it make any issues?
Hi Chetan, if by "BDC" you mean Backup Domain Controller or Read-Only Domain Controller (RODC), replication is the same on both. With BDC/RODC you just have read-only copy of the Active Directory DB. You are not able to configure a Read-Write and Read-Only domain controller on same server.
I have reinstalled server 2012 OS and recreated DC with same name and ip after this clients getting 'trust relationship' error on login.
please provide solution.
Hi Arif, is this the only Domain controller in the environment? The trust relationship could be lost when the secure channel to the domain controller is broken. There are few ways to fix this for example:
1. Resetting the computer accounts in AD.
2. Re-joining the computers to the domain.
the netdom. command what does exactly performs ?
Hi Miguel, thank you for the good question. Actually there are few things that can be achieved with netdom:
1 . Join a computer that runs Windows XP Professional, Windows Vista, or Windows 7 to a Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, or Windows NT 4.0 domain.
2. Manage computer accounts for domain member workstations and member servers.
3. Establish one-way or two-way trust relationships between domains.
4. Verify or reset the secure channel.
5. Manage trust relationships between domains.
Reference - technet.microsoft.com/en-us/library/cc772217(v=ws.11).aspx
NLB Solutions thank you I was looking how to reset the secure channel your video helped me a lot.
Happy I was able to help!
Hi, My setup is I have DC with two child domains. They have replication issues. Do I need to create a backup first for my DC before demoting?
Hi MD, I would suggest to troubleshoot and find what is the problem with the domain controllers that are having replication issues. There are many builtin tools that can help you achieving this. If it is up to demoting, you will need to verify your configuration (FSMO, other Domain Controllers in domain) prior to demoting the server. Backup will always help of course, but restoring (if needed) is the tricky part.
Issue was caused by DNS problem. Thank you! Please upload more videos, they are really helpful :)
No problem, MD. I am glad that you were able to find the problem. In more complex environments I would suggest checking the root cause of the problem, before demoting.
I there, I see you created 2 subnets, one in Class A address and other in Class C address. How do you make the machine communicate with eachother without a Router? I have created 2 VMs on a Hyper V on a Windows 10 machine, how can I make 2 machines communicate with eachother?
I have created 2 separate Virtual Switch for both the machines.
There is no way to communicate without router you need same class or else you can use vpn or firewall fortinet vm
Hi bro
We facing issues few peoples account frequently locking
I was troubleshoot clear temp,cookies,clear old password in credentials unintall Adobe reader and prefech file but same error persist
Pls suggest me what can do ....
i would suggest login to PDC DC and go to eventviwers (go to run>>> type>>eventvwr) once it's open ppls go to securty log and filer with 4740 then will able to find the source of machine where your account is getting lockout.
I have Replication acces denied. Can u help ?
I think there is mistake when you issue netdom resetpwd. /s (/server) is for another working DC which you want to send new computer account password for this DC being demoted. So, server name should be NLB-DC-02 not NLB-DC-01?
I agree with you, the Microsoft's support also say this.
i would suggest login to PDC DC and go to eventviwers (go to run>>> type>>eventvwr) once it's open ppls go to securty log and filer with 4740 then will able to find the source of machine where your account is getting lockout.
Please help me !!!!
replication folder don't work ,
I install DFS-N , DFS-R on server1 and server2 .
the name space is good and it work ,
but replication not ?!
what is the problem !!!!!
3:28 AM, Geez..
I don't trust a troubleshooter that don't use Event viewer. The Logging capability that Windows has makes it great tool to help in troubleshooting.. other than that all of what you shown in the video is basic and common and almost all normal engineers know it.
Hi Mohammed, I totally agree with you. Event Viewer is the tool when it comes to basic troubleshooting. Although this is common and everyone knows it, Microsoft are still keen on training their personnel.
C:\Users\Administrator>gpupdate /force
Updating Policy...
User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were enc
ountered:
The processing of Group Policy failed. Windows attempted to read the file \\myserver.com\SysVol\imyserver.com\Pol
icies\{F90F7DAE-536B-46C6-AB9D-49B5F417A7D1}\gpt.ini from a domain controller an
d was not successful. Group Policy settings may not be applied until this event
is resolved. This issue may be transient and could be caused by one or more of t
he following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results.
can you please help me with this please ?
Hello Juan, is this error only on a single user or multiple? How many domain controllers do you have? I would advise you to look into the group policy object with GUID - {F90F7DAE-536B-46C6-AB9D-49B5F417A7D1}. There could be something wrong there. You can find the GUID of the GPOs under the Details tab in Group Policy Management. If the problem is on a single Domain Controller, there could be issues with the replication to that DC, check event viewer for clues. Good Luck!
Hi ,
Thanks for the reply , i have 2 DC's used to be 3 , this problem started when 1 of the dc in the cluster crashed , so now the 2 dc's which i have are not in the cluster , this policy is a domain base policy , the issue is coming on most of the pc's , do you think its a replication issue ? thanks a lot for your help
90% of the time restarting the problematic server fixes this issue
Your voice is very low in this video
could you please speak a bit louder, It's difficult to hear your voice.
Even after increasing volume to 100, its difficult to hear you.
so please request you to speak a bit louder...
Thank you for your recommendation, abhilash. I have already upgraded my microphone and new videos should be much better in quality.
Your videos are the best !
thank you !
Thank you for your support !
The error u r getting on additoional dc i am getting on primaary dc after transferring roles..... Old dc was 2008r2 and current. Dc is 2012 r2 ... In current dc sysvol is empty and group policy data is not replicating from old dc can you please guid me
Hi Uday, you can refer to the following article - support.microsoft.com/en-us/help/2958414/dfs-replication-how-to-troubleshoot-missing-sysvol-and-netlogon-shares