Skip to main content

Verification of outbound replicaton failed. Error reading the NTDS settings on replication source domain

 

DC userAccountControl 0x81000

Cả bài viết dài, chỉ cần quan tâm đúng 1 dòng highlight dưới cùng là tháo gỡ nút thắt cả hệ thống


Got a question from a friend about a weird problem when trying to promote a 2012R2 Domain Controller.

The error is in the prereq test before promoting:

Verification of outbound replicaton failed. Error reading the NTDS settings on replication source domain controller 2k3dc.secid.local. Domain Controller data not found for the specified Active Directory domain controller.

prereq

And I also got the info that the 2k3DC only was a member of the Domain Users group. That’s not easy to change in the ADUC tool, Member Of Tab in the computer object. Something weird was going on.

From DCDIAG.EXE I got the following info:

Starting test: MachineAccount
The account 2K3DC is not a DC account.  It cannot replicate.
Warning:  Attribute userAccountControl of 2K3DC is: 0x81000 = ( UF_WORKSTATION_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
This may be affecting replication?
……………………. 2K3DC failed test MachineAccount

Indeed as the error message says, it could affect replication, and it did 🙂

In ADSI Edit we can connect to the Default Naming Context and open the properties of the computer object and see that the userAccountControl attribute has the hex value: 0x81000 = (WORKSTATION_TRUST_ACCOUNT|TRUSTED_FOR_DELEGATION)

UACwrong

A common problem when a computer account is prestaged would be that the DC has this value: 0x82020 = (UF_PASSWD_NOTREQD|UF_SERVER_TRUST_ACCOUNT|UF_TRUSTED_FOR_DELEGATION).

So how do we solve it? If you read KB305144:

These are the default UserAccountControl values for the certain objects:

Typical user : 0x200 (512)
Domain controller : 0x82000 (532480)
Workstation/server: 0x1000 (4096)
In ADSI Edit, edit the userAccountControl attribute with the 532480 decimal value and now it’s changed to: 0x82000 = (UF_SERVER_TRUST_ACCOUNT|UF_TRUSTED_FOR_DELEGATION)
UACCorrect
And in this case, the computer object is now a member of the Domain Controllers group, no errors in dcdiag and the dcpromo succeeded.
Labels:

Comments

Post a Comment

Popular posts from this blog

[RAID] SWITCH FROM AHCI TO RAID WITH INTEL C600 CONTROLLER

I personally have used other ways to do this. Manipulating some registry settings in combination with a safe boot before booting normally does the trick as well. This works with both SATA SSD and M.2 NVMe drives and it enables relatively fast switching between back and forth between AHCI and RAID. I have described this method below.  I have also tried the same process used to switch from RAD to AHCI and that works as well. Switch to safe boot Reboot into BIOS Change from AHCI to RAID in the BIOS Boot into safe mode Turn off safe mode and reboot normally again Nothing else and that also did the trick, just like with moving from RAID to AHCI.  So the link above and my step by step below is here for completeness. You have options in case one of them doesn’t work! Step by step AHCI to RAID registry method This procedure I describe below works on Windows 10 1803/1809 and has been tested on Dell Latitude E6220 an XPS 13 9360. Editing the registry is...
Post a Comment
Read more

[Hyper-V] - Lỗi không boot vào được sau khi convert máy vật lý sang máy ảo

XỬ LÝ LỖI KHÔNG BOOT ĐƯỢC VÀO MÁY ẢO SAU KHI CONVERT TỪ MÁY VẬT LÝ BẰNG DISK2VHD Sau khi convert server vật lý sang file VHD để import vào Hyper thì khi start máy ảo lên màn hình máy ảo chỉ nhấp nháy con trỏ chuột trên màn hình đen (blinking cursor) NGUYÊN NHÂN Do máy vật lý sử dụng ổ đĩa cài OS được format theo chuẩn GPT (thay vì MBR như truyền thống, tham khảo GPT và MBR ) XỬ LÝ Bước 1: chuyển ổ GPT thành MBR Copy file VHD của ổ đĩa chứa OS về 1 máy tính Windows 8 trở lên Trên máy Windows 8+ click phải chuột lên file VHD vừa copy, chọn lệnh Mount . Lúc này dùng 1 phần mềm miễn phí (vd: Mini Partition Wizard ) để convert ổ đĩa vừa mount từ GPT  -> MBR Sau đó Delete phần Partition dư ra ở phần đầu ổ đĩa được mount (khoảng vài trăm MB) Set " Active " cho ổ đĩa này để là ổ đĩa boot OS Nhấn Apply để phần mềm thực thi tác vụ Sau khi phần mềm làm xong, tắt phần mềm Mini Partition Wizard, vào My Computer chọn eject ổ đĩa đang mount . Copy file VHD vừa đư...
Post a Comment
Read more

LỖI "The provided partition "Migration...." is not a valid Migration mailbox"

  Solution for a valid Migration mailbox could not be found for this organization To address this issue, we will: Delete Migration mailbox in Active Directory Users and Computers Recreate Migration mailbox with /PrepareAD command Enable Migration mailbox with Exchange Management Shell 1. Delete Migration mailbox in Active Directory Users and Computers We do see the mailbox in ADUC, let’s remove it. If you don’t see it, search for it. It might be in a different container than the default container  Users . We can always verify in Exchange Management Shell if the Migration mailbox is present. If it shows up in the output, it means that it’s present and enabled. The output should be empty. [PS] C:\> Set - ADServerSettings - ViewEntireForest $true ; Get - Mailbox - Identity "Migration.8f3e7716-2011-43e4-96b1-aba62d229136" - Arbitration | Format-Table Name , ServerName , Database , AdminDisplayVersion , ProhibitSendQuota Copy 2. Recreate Migration mailbox with /Prepare...
Post a Comment
Read more