I'm having trouble restoring a DC to replication status. Somehow it past its tombstone timeout limit. Anyway I've tried repadmin /removelingeringobjects and was not able to remove the offensive AD objects. Using the Windows Server Event Viewer and looking through the 1988 errors, I found that there are only actually two entries left causing problems with replication.

Using sysinternals ADexplorer, I located them both in the AD hierarchy, but I got a "Syntax" error when trying to delete one, and the other, located in CN=Deleted Objects,DN=DomainDNSZones,DC=domain,DC=com, didn't even have an option to delete (grayed out).

I then moved to Powershell, where I was able to delete the first object using Remove-ADObject -Identity blah-blah-blah.

However, the second object won't go away. Here's my syntax:

Remove-ADObject -Identity blah-blah-blah -IncludeDeletedObjects

The result I get it:

Remove-ADObject : The requested delete operation could not be performed
At line:1 char:1
+ Remove-ADObject -Identity "blah-blah-blah" -IncludeDeleted ... + 
    + CategoryInfo          : NotSpecified: (blah-blah-blah:ADObject) [Remove-ADObject], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8398,Microsoft.ActiveDirectory.Management.Commands.RemoveADObject

Now going back to ADexplorer, I checked the Properties and the Security tab of this object, and the tab says:

The requested security information is either unavailable or can't be displayed

I'm certain this has something to do with the problem. I don't have permission to delete the object because... it doesn't have permissions?

Any idea where I can go from here?

So I've had an Exchange Server (v2013 with cu21) running on a Windows Server 2012 R2 box for several years now, without many problems.

We almost exclusively use Outlook-Exchange integration and active sync.

Recently, I have a need to use IMAP on a particular client, but it doesn't seem to work. I thought I've had IMAP enabled since the original install, and everything I check seems to support that, yet I simply can't connect using IMAP.

Things I've tried:

1. IMAP4 service and IMAP4 Backend service are both running, automatically. I tried restarting both services.
2. Connecting via a local LAN, so external firewall shouldn't be an issue.
3. Verifying ports 143 and 993 are open. They are. Tried disabling the Windows firewall just for good measure. Nothing.
4. I'm using a wildcard SSL certificate works fine for other purposes. I used Get-IMAPSettings to check that the certificate was properly defined, and I used Set-IMAPSettings -X509CertificateName to set it again just to be sure.
5. I've checked Get-ServerHealth to make sure all IMAP-related processes are Healthy.
6. I downloaded a script called HealthChecker.ps1 and ran that just for good measure.
7. Test-IMAPConnectivity fails with the very helpful status of Failure
8. I can telnet to 578 (smtp) from another machine on the LAN, but when I telnet to 143 or 993, I get a black terminal (like the entire terminal window resets) and then after about 5 seconds it sends me back to the command prompt, with no messages.
9. I tried Set-ImapSettings -ProtocolLogEnabled $true, but my login attempts don't even appear in the log. The only user I see accessing IMAP in the logs is the Health mailbox.
10. Tried Set-IMAPSettins -ExternalConnectionSetting just for fun
11. Verified that IMAP is enabled in ECP for the user that I'm using to test

What could I be missing here?

For a long time I've been using a HylaFax server and an old external 56k serial port modem.

It has worked great on our POTS lines.

Recently we just upgraded our location and it now has an AT&T Fiber connection, and the telephone lines are all provided over the Fiber line.

Now, the old modem apparently isn't picking up when it gets an incoming call. I'm not sure why, but it's definitely some incompatibility between the new lines and the modem because I've tested the following:

1. Old modem and Hylafax server still work fine on old POTS lines
2. Old modem won't pick up incoming fax call on new fiber lines
3. Standalone fax machine DOES pick up incoming fax call on new fiber lines

Why doesn't the old modem detect or answer the incoming call?

How can I get my old modem to work with the new lines?

I have a Windows 10 Pro machine that is functioning as a RDP terminal for a single user.

This machine was configured more than 2 years ago and has had no major changes made to its configuration, except of course for the obligatory Windows 10 automatic updates.

Everything has been working fine until a few months ago, when the user started getting this error when window attempting to connect via RDC:

Remote Desktop Connection
An internal error has occurred.

I tried logging in via RDC via my Admin credentials, and I get the same error. The error appears immediately after clicking connect. There is no processing time and the connection attempt seem to be immediately rejected by the server.

I can't trace the problem down to any specific time, or event. It occurs seemingly at random. Sometimes after a few days, sometimes twice in one day.

Restarting the Windows 10 Pro machine always seems to fix the problem.

Strangely, accessing the Event Viewer on the Windows 10 Pro machine also seemed to fix the problem, but it almost always returns much more quickly if I use this "fix".

Speaking of the Event Viewer, these are relevant errors I found in the log related to RDC at the time that my login was rejected:

Error Event 227 RemoteDesktopServices-RdpCoreTS
    General: 'Failed OnConnected to Listener callback' in CUMRDPConnection::InitializeInstance at 606 err=[0x8007050c]
    Log Name: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
    Source: RemoteDesktopServices-RdpCoreTS
    EventID: 227
    Task Category: RemoteFX module
    Level: Error
    User: NETWORK SERVICE
    OpCode: Runtime

Error Event 227 RemoteDesktopServices-RdpCoreTS
    General: spCoreConnection is NULL!' in CUMRDPConnection::TerminalInstance at 741 err=[0x8007139f]
    Log Name: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
    Source: RemoteDesktopServices-RdpCoreTS
    EventID: 227
    Task Category: RemoteFX module
    Level: Error
    User: NETWORK SERVICE
    OpCode: Runtime

These are some other errors I noticed in the log, but don't correspond to the moment I try to connect:

Warning Event 226, RemoteDesktopServices-RdpCoreTS
    General: RDP_TCP: An error was encountered when transitioning from StateUnknown in response to Event_Disconnect (error code 0x80070040)

Warning Event 142, RemoteDesktopServices-RdpCoreT
    General: TCP socket READ operation failed, error 64

Note that the client machines are also running Windows 10 Pro.

I have Microsoft AD Domain with multiple geographical sites. All sites are interconnected by VPN. All sites have 2 Domain Controllers running Windows Server 2012 R2.

I was reviewing the automated _ldap and _kerberos SRV records for each site in the DNS manager, and many (most?) of the entries make little sense.

A few sites had entries only for DCs that were off-site.

Many sites had one entry for the primary on-site DC (which is good), but instead of having the secondary on-site DC as another entry, it had an off-site DC as an equally weighted entry.

Many sites with off-site DCs had seemingly random off-site DCs. In most cases they were the most geographically distant DCs, which generally means higher pings and less bandwidth.

Just to be clear, the appropriate DCs are mapped correctly to their corresponding geographic sites within the Domain Sites and Services manager.

It seems to me that I would be much better off managing these entries myself. Ideally I would setup the SRV entries for each site like this:

Primary On-site DC - weight 0
Secondary On-site DC - weight 0
Primary Off-site DC, geographically close - weight 1
Secondary Off-site DC, geographically close - weight 1
Primary Off-site DC, geographically far - weight 2
Secondary Off-site DC, geographically far - weight 2

So in order to do this, I'd need to change all those SRV records to static, and then manage everything myself manually.

Aside from the tedious nature of this task, and the possibility for introducing human error into these essential records, is there a good reason I should not be revising these SRV entries manually?

Alternatively, is there a way to have more intelligently created automatic SRV records?

Tangentially related question: When messing around with creating static SRV records, I've noticed a strange behavior. Normally, automatically created DNS records get a time stamp, whereas records I create manually get a <static> label. Often, though, a record I create just gets a blank label (i.e. null). But if I check the advanced properties of the record, it does not have the Delete this record when it becomes stale option checked, so it seems it is static?

I'm a little befuddled by this situation.

I have an Exchange Server 2013 running on Windows Server 2012 R2.

It was working fine (I think), running CU17.

I decided to update it to CU21, as Microsoft says this will be the last quarterly patch for 2013 and will be required for all security patches going forward.

I take a VMware snapshot of the server, then proceeded with the upgrade.

The upgrade goes to 100%, and finishes with a single error (but no indication that the overall install failed). The error was something about not being able to find the server's site. I stupidly saved and copied the error to a text file on the server's desktop, so I can't paste it here.

More problematic than that, the Outlook website wasn't working, nor was the Exchange Control Panel website (both gave "server runtime errors").

So faced with this problem, I decided I'd just tackle the update again in the future when I had more time, and I rolled back to my snapshot at CU17.

Except, as you've probably guessed since I'm posting here, my previous snapshot isn't working now.

I can get all the Exchange services to start without any obvious errors, but my clients can't connect via their Outlook desktop apps.

The Outlook website is working, but when you actually try to send or receive emails - well, nothing is coming or going anywhere. I've tried restarting the transport services to no avail.

So I remembered back to that error I got when I tried to upgrade to CU20, and I started digging around in the server...

1. I verified the network connection is correctly configured, with static IP and DNS entry and is listed as a private network.
2. I can ping and connect via RDP to the server using the FQDN
3. I checked the event log and I get some clues and seemingly related problems:

Event 1015 MSExchangeDiagnostics Unable to contact the active directory. Inner Exception System.DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundException: The computer is not in a site. at System.DirectoryServices.ActiveDirectory.ActiveDirectorySite.GetComputerSite() at Microsoft.Exchange.Diagnostics.Service.MachineInformationSource.PollMachineInformation Event 1025 MSExchange EdgeSync Topology load generated exception Microsoft.Exchange.Data.Directory.CannotGetSiteInfoException: Could not find information about the local site. This can be caused by incorrect configuration of subnets or sites or by replication latency. at Microsoft.Exchange.Data.Directory.NativeHelpers.GetSiteNameHookable(Boolean throwOnErrorNoSite) at Microsoft.Exchange.Data.Directory.SystemConfiguration.ADTopologyConfigurationSession.<GetLocalSite>b__7b() at Microsoft.Exchange.Data.Directory.Diagnostics.ADScenarioLog.InvokeWithAPILog[T](DateTime whenUTC, String name, Guid activityId, String implementation, String caller, Func 1 action, Func 1 getDcFunc) at Microsoft.Exchange.Data.Directory.SystemConfiguration.ADTopologyConfigurationSession.InvokeWithAPILogging[T](Func 1 action, String memberName)

4. I verified that the Exchange server is in the right subnet (and I haven't touched any network settings in years - no need)
5. I verified that the Exchange server appears in the right site in Active Directory Sites and Services

So, I'm thinking the key to all this is that somehow this Exchange Server's place in the AD got kind of screwed up. But I can't find the cause. I tried manually leaving the domain on the Exchange Server, and then rejoining the domain, but this fixed nothing.

Any ideas?

Note that I have also cross posted this to Synology forums. I'm posting here because I'm not sure if the problem is with Windows or with the Synology server:

Background

Dozens of workstations with several Synology servers.

All workstations running Windows 10 Pro.

For the past year, and up until about a week ago, all workstations were able to access all Synology servers fine.

Problem and Symptoms

Now just starting about one week ago, ONE workstation is unable to access ONE Synology server via Windows Explorer.

It doesn't work with \\UNCname nor with \\ip.ad.re.ss

However, I can ping the server just fine using the ip.ad.re.ss and nslookup for UNCname returns the correct address.

Conundrum

If this were happening to all my workstations, I'd assume the Synology server was at fault. But all the other workstations have no problem accessing this one Synology box. If this were happening with all Synology servers on this one machine, I'd assume the workstation was at fault. But the workstation has no problem accessing the other Synology boxes on the same network, and up until a week ago had no problem with the specific box in question.

Again, it is just the ONE workstation suddenly having problems with ONE Synology server.

Nothing has changed on my end, except of course that there are automatic updates for both Synology and for Windows 10... so again I have no idea where the problem lies.

I have two users in Taipei time zone.

Both are using PCs with system time correctly set to Taipei time.

Both have an Office 365 E3 Enterprise account on the same tenant and have Office 2016 installed.

Both use Outlook 2016 for their email needs and connect to the same on-premises Exchange server.

For one user, all time stamps on email display correctly with Taipei time.

For the other user, all time stamps on email seem to be using PST time.

Why?

Everything I google seems to reference time zones in Outlook's calendar functions, but they don't even use their calendars. This is only in reference to the email time stamps.

I have a multi-site Windows Server 2012 R2 AD domain.

Up until now we have been using individual office licenses.

At one specific site, we are testing an Office 365 implementation.

1. How do I integrate the Office 365 accounts into the on premise AD structure so that users don't have to memorize another set of credentials for Office 365?

2. I've run across some guides that seem to explain how to do this, but all involve setting up stuff on the Domain Controller. What is not clear to me is:

   How do I set up this integration only for the site where we are doing the rollout? It only applies to that site and specific users at that site.

   Which DC do I setup the integration at? The main DC (off-site) for the entire organization? The local DC at the site where we are rolling out Office 365? If I have two DCs on site (as is best practices), do I setup integration on both DCs?

   This is another part that seems nebulous to me: we have one AD across several (international) sites, but each local office will purchase and maintain their own Office 365 accounts (here I'm talking about organizational accounts not user accounts) for their own local users for accounting and licensing reasons. Is it possible to integrate multiple organizational Office 365 into a single AD? How do you set it up so that the AD / Office 365 integration knows where to find the Office 365 account?

I'm currently using the Out-File cmdlet, like so:

PS> Some-Cmdlet -someswitch | Out-File -filepath .\somefile.txt

It works great.

Is there anyway that I can actually get the command line itself to print to the same file before the output?

In other words, when I open somefile.txt I want to see the following:

Some-Cmdlet -someswitch | Out-File -filepath .\somefile.txt

OUTPUT
OUTPUT
OUTPUT
etc.

Windows Server 2012 R2 Domain with Windows 10 Pro clients.

I'm poking around in GPO under

User Configuration -> Policies -> Administrative Templates -> Windows Components -> Microsoft Management Console -> Restricted/Permitted snap-ins

Looks like the perfect place for it to be, but it isn't

Can I add it manually anyway?

• I have UserA.
• Working on ComputerA.

• I have setup a Virtual Machine on ComputerA under Hyper-V called ComputerA-VM.

• ComputerA runs Windows 10 Pro.

• ComputerA is part of domain.com managed by a DC running Windows Server 2012 R2.
• UserA is a domain user.

I want UserA to have permissions to START ComputerA-VM and CONNECT (access console) to ComputerA-VM and NOTHING ELSE.

I don't want them to be able to create other VMs, delete VMs, edit the settings of ComputerA-VM, or to mess with snapshots or anything.

How can I do this?

I'm opening a new site (physical and logical) in my international Windows domain.

The site is connected to the main office by a VPN over a slow connection (I'm using pfsense as my main router and ClearOS as my VPN manager, which is the same setup I use at all my sites). I can't do anything about improving the connection at the moment.

I've just setup two brand new physical machines, each running an instance of a brand-new clean install of Windows Server 2012 R2 (with all updates) on top of VMware ESXi 6 (again, this is the same at all my sites, except some are running ESXi 5.5 and some are running 6).

When I try to promote the servers to Domain Controller, I am getting the following error:

The wizard cannot gain access to the list of domains in the forest.

Clicking on Show more gives me the following details:

This condition may be caused by a DNS lookup problem. For information about troubleshooting common DNS lookup problems, please see the following Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=5171

The error is: The RPC server is unavailable.

Following the recommendations here https://technet.microsoft.com/en-us/library/cc526682.aspx, I have tried issuing the commands ipconfig /registerdns and ipconfig /flushdns and then trying the promotion again, to no effect.

Some additional "symptoms" of my slow connection:

1. The above error take about 5 to 10 minutes to appear after attempting the initial step of the promotion process (in another question I posted that the process was hanging, but I simply wasn't waiting long enough).
2. I successfully joined both servers to the Domain, but one took about 5 minutes to join and the other took about 10 minutes to join.
3. After joining the Domain, I had to reboot and then I logged in as a Domain Admin user. Logging in took about 10 minutes on one machine and 20 minutes on the other machine.
4. All that said, I can ping the remote DC in the main office continuously (over the VPN, using the local IP) with no problem. Average ping is around 250ms. The ping is not the problem, it is the bandwidth over the local DSL connection which is about 5mbit down and 750kb up, but shared amongst the entire office of about 10 users.

Here are some additional errors from my event viewer:

DFSR Event 1202: (On one machine only)

The DFS Replication service failed to contact a domain controller to access configuration information. The service will try again during the next configuration polling cycle. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

Group Policy Preprocessing Event 1006: (On both machines)

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the Details tab for error code and description.

Can anyone give me any troubleshooting clues on how to figure out why I can't successfully promote these servers to DCs? I've used almost this identical setup in a dozen different branches around the world with no problems, so I'm thinking this must be something unique to the local connection...

I notice that anything I add to Security Filtering also appears under Delegation, so I’m not sure how or why they both exist, and if they are redundant or not?

Until now I had been exclusively using Security Filtering to determine whether a GPO gets applied and to which groups, but now there is a new patch to Windows Server which stops my GPOs from applying unless I add Domain Computers to Security Filtering... (GPOs fail to apply; reason: Inaccessible, Empty, or Disabled; Server 2012 R2 and Windows 10)

This seems very confusing to me, as I always thought that GPO rights would be read independently based on all my experience with Windows privileges. In other words, if I have Bob and Sue in Group A and Bob and Bill and Sarah in Group B, and I add Group A and Group B to a GPO with Read and Apply set, then I expect that the GPO will apply to Bob, Sue, Bill, and Sarah. (Effectively a logical OR operation: if a user is in Group A or Group B, apply the policy).

Therefore, if I add Group A and Domain Computers to the Security Filtering tab, I’d expect the GPO to apply to Bob and Sue, but also to every computer in the domain, effectively rendering Group A redundant, since every computer receiving the GPO will always be part of the domain.

However, the post by user Adwaenyth (GPOs fail to apply; reason: Inaccessible, Empty, or Disabled; Server 2012 R2 and Windows 10) seems to imply that Security Filtering is now operating via an AND kind of logic, where the target must be a member of all groups for the GPO to apply. In my example of Group A and Group B above, then, only Bob would apply the GPO, as he is the only one in both groups.

This whole mystery would be solved for me if I only needed to add Read rights, and not Apply rights, to Domain Computers. But then why do I need to add Domain Computers to Security Filtering where Apply rights are automatically granted? This all comes back again to the same question of what, effectively, is the difference between Security Filtering and Delegation? I’m aware that Delegation is also for granting users and limited admins the ability to edit, modify, or delete a GPO. But what if I use Delegation to manually give an entity Read and Apply rights? Is that the same as putting the entity in Security Filtering?

This question is also posed here: Does a GPO apply if "Security Filtering" tab is empty, but there is a security group in Delegation which has Read and Apply right?

I have a Windows Server 2012 R2 Domain.

Yesterday, a computer’s (running Windows 10 Pro) network drive stopped working.

After further investigation (gpresult /h) it appears ALL group policy objects are failing with the reason Inaccessible, Empty, or Disabled.

I have confirmed that all the GPOs still exist and are enabled on both (redundant and local) domain controllers. Furthermore, there are 20 other machines on the same domain and LAN with absolutely no problems.

However, there is one other computer that I tested which presented with the same problem! Does that mean the problem is with the servers?

gpresult /r reports that one client is getting GPOs from local DC1, and the other from DC2. So it is not a problem related to a specific DC.

gpupdate /force fixed nothing (though it claimed that policies were applied).

I tried deleting the registry entries for local policies (following this guide https://superuser.com/questions/379908/how-to-clear-or-remove-domain-applied-group-policy-settings-after-leaving-the-do) and rebooting - same problem.

I found this support page from Microsoft (https://support.microsoft.com/en-us/kb/2976965), but it claims it only applies to Windows 7 or earlier clients.

All my machines (both server and client) are running 64-bit versions and are fully updated. I have rebooted all of them just to be sure.

Site 2: I have a small branch with 1 DC and 4 clients.

Site 1: Meanwhile my main branch has 2 DCs and lots of clients.

I made some GP changes on DC-site2, and I was wondering why they weren't applying to the clients at site2.

Well I did a gpresult /r and it showed that both Computer Settings and User Settings were coming from DC-site1.DOMAIN.COM. WHY?

I did echo %logonserver%. Result: DC-site2. Good so far.
I did set log (kind of redundant). Result: DC-site2. Still looking good.
nltest /dsgetsite. Result: site2. Ok, so the client knows it is in the right site.
nltest /dsgetdc:domain.com /Account:client-pc1$. Result: DC: \\DC-site2.DOMAIN.COM. Still good!

What the hell?

I checked Active Directory Sites and Services, and ONLY the DC-site2 server is showed listed in site2. I checked DNS settings, and in Forward Lookup Zones -> _msdcs.domain.com -> dc -> _sites -> site2 I ONLY see entries for the DC-site2 server.

And yet, gpresult /r on this client still shows it is applying GP from the DC-site1 server. WHY?

This was last night. This morning I checked again and the same machine is getting Computer Settings from DC-site2 but User Settings from DC-site1. WHY?

Network:

• Multi-site domain.
• Each site has 2 local (on-site, same subnet) Windows Server 2012 R2 Domain controllers.
• Sites are correctly defined in Windows Sites and Services.
• DNS records for each site ONLY have the two local DNS servers defined.
• ALL clients are Windows 10 Pro 64-bit with all updates.
• Both networks are fully gigabit running on Cisco switches with certified CAT6 cabling.
• Each site has a local (on-site, same subnet) Synology storage server.
• As part of Group Policy, two network drives are mapped to shares on the Synology server.

Connectivity Diagnostics:

• dcdiag /test:dns /v /c /e reports PASS for ALL servers and ALL tests
• echo %logonserver% always returns a local DC
• nltest /dsgetdc always shows a local DC and correct local IP
• On Site A, both network drives show up, with maybe a 0.5% chance of failure (I have experienced a few boots where the drives don't show up correctly).

Issue:

At Site B, network drives fail to show up perhaps 30% of the time. Sometimes it is both drives, sometimes it is one or the other. The problem is mostly random, and does not seem to follow any particular user or Workstation.

Symptoms:

Of the 30% of the time where a problem presents itself:

• 5% of the time a gpupdate or gpupdate /force will fix the problem and the drives will immediately appear. If the gpupdate doesn't work on the first attempt, it will pretty much never work after that (for that boot)
• 5% of the time a gpupdate or gpupdate /force will cause just one drive to appear
• 20% of the time, a gpupdate will not fix the problem, but the next boot will be fine
• 50% of the time, a gpupdate will not fix the problem, but after one boot and another gpupdate, the drives will appear

• 20% of the time, it will take multiple reboots (and gpupdate for each boot) before the drives appear. Sometimes it is 2 boots, but I have had to rarely reboot a computer sometimes 6 or 7 times before the drives appear.

  • For this last 20% of the time, I will sometimes get errors from the gpupdate process.

    The processing of Group Policy failed. Windows attempted to read the file 
    \domain\SysVol\domain.local\Policies{5898270F-33D0-41E8-A516-56B3E6D2DBAB}\gpt.ini 
    from a domain controller and was not successful. Group Policy settings may not be 
    applied until this event is resolved. This issue may be transient and could be 
    caused by one or more of the following:  
    
    a) Name Resolution/Network Connectivity to the current domain controller.  
    b) File Replication Service Latency (a file created on another domain controller 
       has not replicated to the current domain controller).  
    c) The Distributed File System (DFS) client has been disabled.
    

  • This error is actually, usually but not always, a good sign because generally after I get this error, the next ´gpupdate´ or the next boot and ´gpupdate´ will make the drives reappear.

Drive Map Diagnostics:

1. gpresult /h gpresult.html shows:

   Drive Map (Drive: X)
    The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.
      X:
       Winning GPO  DriveMaps 
        General Settings
         Result: Success
   

2. I have enabled group policy environment debug logging (per http://social.technet.microsoft.com/wiki/contents/articles/4506.group-policy-debug-log-settings.aspx created registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics] "GPSvcDebugLevel"=dword:00030002). The log file in c:\Windows\debug\UserMode\gpsvc.log has not shown me any clear errors, nor have I been able to find much help through google. Here are some interesting messages I have received:

   GPSVC(158.33c) 23:33:24:921 CheckGPOs: No GPO changes but extension Group Policy Drive Maps's returned error status 183 earlier.  
   GPSVC(158.c24) 23:38:12:203 ProcessGPOs(Machine): Extension Group Policy Drive Maps skipped with flags 0x110057. 
   GPSVC(158.157c) 23:08:08:216 ProcessGPOs(User): Extension Group Policy Drive Maps ProcessGroupPolicy failed, status 0xb7.
   

3. I have enabled group policy preferences debugging for Drive Maps (as per http://blogs.technet.com/b/askds/archive/2008/07/18/enabling-group-policy-preferences-debug-logging-using-the-rsat.aspx set Drive Map Policy Processing to Enabled and turned on Event Logging in properties of \Computer Configuration\Policies\Administrative Templates\System\Group Policy\Logging and tracing ). The log file in C:\ProgramData\GroupPolicy\Preference\Trace\User.log has not returned any errors.

   2015-11-21 17:47:38.849 [pid=0x22c,tid=0xcd0] Starting class <Drive> - X:.
   2015-11-21 17:47:38.864 [pid=0x22c,tid=0xcd0] Adding child elements to RSOP.
   2015-11-21 17:47:38.880 [pid=0x22c,tid=0xcd0] Beginning drive mapping.
   2015-11-21 17:47:38.896 [pid=0x22c,tid=0xcd0] Set user security context.
   2015-11-21 17:47:38.927 [pid=0x22c,tid=0xcd0] User does not have a split token.
   2015-11-21 17:47:38.927 [pid=0x22c,tid=0xcd0] Drive doesn't exist (full token).
   2015-11-21 17:47:39.114 [pid=0x22c,tid=0xcd0] Connected with access name x:.
   2015-11-21 17:47:39.146 [pid=0x22c,tid=0xcd0] SendNotification Session ID is 2.
   2015-11-21 17:47:39.146 [pid=0x22c,tid=0xcd0] SendNotification discovered drive mask of 8388608.
   2015-11-21 17:47:39.161 [pid=0x22c,tid=0xcd0] Set system security context.
   2015-11-21 17:47:39.161 [pid=0x22c,tid=0xcd0] SendNotification drive event broadcast sent.
   2015-11-21 17:47:39.161 [pid=0x22c,tid=0xcd0] Set user security context.
   2015-11-21 17:47:39.177 [pid=0x22c,tid=0xcd0] SendNotification to Shell.
   2015-11-21 17:47:39.177 [pid=0x22c,tid=0xcd0] Set system security context.
   2015-11-21 17:47:39.177 [pid=0x22c,tid=0xcd0] Properties handled.
   2015-11-21 17:47:39.177 [pid=0x22c,tid=0xcd0] Handle Children.
   2015-11-21 17:47:39.192 [pid=0x22c,tid=0xcd0] EVENT : The element of user preferences 'X:' of the group policy object 'DriveMaps {06FEB8B9-632C-4A1C-A7C9-5A05E1041BEE}' was applied correctly.
   2015-11-21 17:47:39.192 [pid=0x22c,tid=0xcd0] Completed class <Drive> - X:.
   

4. I also have several netmon captures of a login with drives failing to load, but the capture has so much information I'm not sure where to begin.

5. If, after a failed login, I try to browse directly to \\SynologyServer\ShareName\, the share always loads immediately without any errors. There are no signs of connection or permission problems.

Question:

Why is this problem happening so frequently at one site, but almost never at the other site, when both are on the same domain, have the same policy, and are running the same software?

The only software difference I can think of is that at Site A, all the computers were running Windows 8.1 Pro and were upgraded to Windows 10 Pro, whereas at Site B, all computers have fresh installs of Windows 10 Pro.

I ran a c:\dcidag /v /c /e test (/v = verbose, /c = comprehensive, /e = every DC) on all of my (currently) 5 Domain Controllers, and received this summary of results at the end:

                             Aut. B s. Reenv. Del. Din. RReg.
Ext.
_________________________________________________________________
Domain: mydomain.com

dc-serv-1                    PASS PASS PASS PASS PASS PASS n/a  
dc-serv-2                    PASS PASS PASS PASS PASS PASS n/a  
dc-serv-3                    PASS PASS PASS PASS PASS PASS n/a  
dc-serv-4                    PASS PASS PASS PASS PASS PASS n/a  
dc-serv-5                    PASS PASS PASS PASS PASS PASS n/a 

So, that’s a good thing, obviously. But when I read through the results in detail, I found that every server, except the server from which the test was run, was failing three tests:

Starting test: DFSREvent

     The event log DFS Replication on server
     dc-serv-2.mydomain.com could not be queried, error 0x6ba
     "The RPC server is unavailable."
     ......................... dc-serv-2 failed test DFSREvent

Starting test: KccEvent

     The event log Directory Service on server
     dc-serv-2.mydomain.com could not be queried, error 0x6ba
     "The RPC server is unavailable."
     ......................... dc-serv-2 failed test KccEvent

Starting test: SystemLog

     The event log System on server dc-serv-2.mydomain.com could not
     be queried, error 0x6ba "The RPC server is unavailable."
     ......................... dc-serv-2 failed test SystemLog

If I ran the test from dc-serv-1, then dc-serv-1 (the local server) would pass everything, but dc-serv-2 through -5 would fail those same three tests, and pass everything else.

I found this support page https://support.microsoft.com/en-us/kb/2512643 which seems to indicate that this is normal for Windows Server 2008+. I am running Windows Server 2012 R2 on all DCs.

The support page says that the cause is a firewall issue, which makes sense since the local server passes without issues. The support page says that I can just ignore these errors (which also makes sense considering the final status is listed as PASS) or I can open the firewall to allow the logs to be read.

Are there any advantages/disadvantages to fixing these errors by opening the firewall?

I have a multi-site Active Directory domain. All domain controllers across all sites are running Windows 2012 Standard R2.

Site 1 and 2: everything works fine

Site 3: I just setup and I’m having consistent problems across various computers where

1. First login to a computer sometimes takes a long time (initial account setup of a domain user on a new computer)
2. Group policy mapped drives do not appear, even though gpresult reports that the group policy was correctly applied
3. gpupdate will often take a long time to apply.

I have confirmed that the sites are setup correctly in AD, and that only the two local AD servers are attached to the local site. Furthermore, I have confirmed via echo %logonserver% that my local machines are only using the local AD servers to login.

I can ping the AD servers consistently with <1ms response time. All network cable in the building is recently installed and CAT6, and the symptoms do not seem to consistently affect one computer above the others: it is quite random. Sometimes mapped drives load successfully, sometimes not. There are only about 15 computers in the building, and all pass through a 48-port gigabit Cisco switch which is running the latest firmware available.

The AD servers themselves are running on a VM atop an Intel i5, RAID SSDs, and each have 8GB of memory apportioned.

The only common clue I see when running gpresult is that I am getting a slow link detected warning, which seems silly considering everything is on the LAN and connected via gigabit. In my research it seems that it is to be expected that mapped drives will not reliable appear under slow link connections.

How can I go about diagnosing the cause of this problem?

Question. I have a Windows AD Domain with two DCs. I find that name resolution becomes very unreliable when my "primary" Domain server is offline. How can I fix this?

I am running two Windows Server 2012 Standard servers, and both are Domain Controllers, DNS servers, and DHCP servers.

On the client side, my clients are using DHCP (from the aforementioned servers) and the DNS config they get sets one Domain Controller as Preferred, and the other as Alternate.

If I shut off the "Preferred" Domain Controller as a test, then internet browsing becomes very slow. Loading pages often fails, and I have to refresh often in order to get pages to successfully load. I think DNS lookups occur in round robin fashion, so I am assuming that the client tries the Preferred DNS first and fails. Then when I hit refresh, it tries the Alternate and succeeds. But I'm not sure about this, and it seems to be a very clunky system:

Question A. Why isn't the client automatically trying the Alternate DNS when the Primary DNS fails? This is 2015. What is the point of having an Alternate DNS if I have to manually hit refresh, sometimes twice, sometimes 5 or 6 times, to get the Internet to work? Do I have something misconfigured?

Question B. If I do nslookup google.com from a client's command prompt, it simply fails with timeout trying to contact the Primary DNS. It never tries the Alternate no matter how many times I try. Why is this?

Question C. Is there a better way for me to set this up so that the DNS failover is more transparent and automatic? When the Primary DNS Server is online, everything is as smooth as butter. When I have to switch to my "Secondary" DNS Server, everything becomes slow and unwieldy. I don't think that was the intended design. (I am aware that the idea of "Primary" and "Secondary" Domain Servers is now deprecated, and that all Domain Controllers are considered equal - even more reason why I don't see why I should be experiencing these problems if one Controller goes down).