|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Rejoining Computers to domainHi,
Whenever we move a computer object from one OU to another in AD, we have to rejoin it to the domain. Why is this? We have a fully 2003 .local domain, and having to rejoin any machine we move to another OU back to the domain is a big hassle. So what is causing this, and how do you fix it, ie stop it from happening? Thanks, Taz
Show quote
Hide quote
"Taz1972" <Taz1***@discussions.microsoft.com> wrote in message news:875C6D0F-2F84-44EB-8F9A-D04325A78D6B@microsoft.com... Hi Taz,> Hi, > > Whenever we move a computer object from one OU to another in > AD, we have to rejoin it to the domain. Why is this? > > We have a fully 2003 .local domain, and having to rejoin any machine we move > to another OU back to the domain is a big hassle. > > So what is causing this, and how do you fix it, ie stop it from happening? > > Thanks, > Taz Difficult to tell without additional info. Something like this just doesn't normally happen without being affected by other circumstances, domain/DNS mis-configuration, or policy settings. 1. Please post an unedited ipconfig /all from two of your DCs and from a sample workstation this is happening to. 2. Please post any Event log errors on the DCs and client machines before and after you move them. 3. Also let use know if there is a GPO in any of the OUs you are moving to an from, as well as what is in the GPOs, including any non-default GPOs at the domain level or Site level (if exists), that are being applied to the workstations before and after. 4. Post any errors in the Event logs of any of your DCs and workstations, before and after you move them from OU to OU. 5. Are there any firewalls blocking necessary ports between Sites, or installed on the DCs or workstations, such as the local Windows firewall or a security/AV application? Was Zone Alarm ever installed on the DCs and removed? 6. Are any of the DCs multihomed (more than one NIC and/or IP addresses), or RRAS installed? 7. Is the AD DNS domain name a single label name (such as 'domain' instead of the minimal requirement of 'domain.com,' domain.local,' etc)? 8. Can you remind us for this thread, how many DCs and Sites do you have, and are there still Sysvol errors, RPC or other errors, based on your previous threads? I remember there were DC problems. Were they ever resolved? I don't believe you've ever posted back letting us know if the issues were resolved or not, nor have you posted any configuration information for us to better assist, such as ipconfigs or Event logs. I believe the previous problems with the DCs concerning replication, DNS zones, Sysvol issues, RPC errors, etc, are contributing or may be the basis of this problem. I can understand if you are reluctant to post config info. If any consolation, you can hide the names and domain names for security reasons, and no one can do anything with private IPs anyway. So anything you can provide us, will better help us coming up with a diagnosis. Thanks, -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT Microsoft Certified Trainer ace***@mvps.RemoveThisPart.org http://twitter.com/acefekay For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. When we try to move computer objects between OU's, we get the following:
'moving object in active directory can prevent your system from working in the way it was designed. Moving an OU can affect the way gp's are applied to the accounts within the OU. Are you sure you want to move the object?' OK - I don't think the message was an error but rather a warning. It was something my collegue complained about originally, but after having checked this myself, I think it's normal and somewhat self-explanatory. Am I correct? The sysvol issue I posted in another thread I did reply to - we did an authoritative restore on one of the DC's and restore an earlier copy of sysvol from backup. But we are still getting ALOT of replication errors: 1566, 1311 and 1865 1232, 1265, 1925 1699 also generates 8453 access denied errors on certain dc's We initially had 5-6 dc's, but recently we have added about half a dozen more dc's to oue other sites. They also have dns installed on them, which weren't created using delegations from the root .local domain, but rather we created forward/reverse zones on the dc/dns servers themselves. So for each site we created a zone called <site>.company.local. We also used <site>.company.local for the dns suffixes for the client machines for that particular site. So we have a root called company.local, and for each site the dns namespace is <site>.company.local. The idea here was to organize our network so each dc at each site is authoritative for it's zone. This way you only replicate small changes in dns, not the whole .local forest. I ran dcdiag on one the dc's the other day, and some of the errors I got was that for each of the dc's running dns (mentioned above) it says that it is not a valid dns server and there are also broken delegation errors. Is this due to some sort of dns misconfiguration? Is it because we simply created zones on each server and replixated them to other dc's, instead of creating a new dns domain and delegating it for each site? Furthermore, each of the dc/dns server is pointing to itself as prefered dns server and secondary dns is blank. Is this correct? We initially pointed the server to the root DC for first-time replication, then afterwards pointed it to itself as described above. Our AD sites and services is being looked at right now, because we feel this might be one of the causes of the problem. As I understand all sites must be connected to each other because they must replicate to each other - so does this mean that we have to have all our 12 sites in the 'Sites in this link' part in the site properties? Or do they need to be organized in another manner? They are all using IP intersite links and are bridge heads for their sites. We get a lot of rpc server unavailable errors on some sites - is this due to dns problems, or maybe there is rpc filtering on the FW's? We are asking our security people to check the FW configurations for the latter, but they are very slow to act on this for us. I hope this gives enough information, if you need any more pls let me know. Or if there is any kind of tests I need to run - please help. Thanks, Taz Show quoteHide quote "Ace Fekay [Microsoft Certified Trainer]" wrote: > "Taz1972" <Taz1***@discussions.microsoft.com> wrote in message news:875C6D0F-2F84-44EB-8F9A-D04325A78D6B@microsoft.com... > > Hi, > > > > Whenever we move a computer object from one OU to another in > > AD, we have to rejoin it to the domain. Why is this? > > > > We have a fully 2003 .local domain, and having to rejoin any machine we move > > to another OU back to the domain is a big hassle. > > > > So what is causing this, and how do you fix it, ie stop it from happening? > > > > Thanks, > > Taz > > > Hi Taz, > > Difficult to tell without additional info. Something like this just doesn't normally happen without being affected by other circumstances, domain/DNS mis-configuration, or policy settings. > > 1. Please post an unedited ipconfig /all from two of your DCs and from a sample workstation this is happening to. > > 2. Please post any Event log errors on the DCs and client machines before and after you move them. > > 3. Also let use know if there is a GPO in any of the OUs you are moving to an from, as well as what is in the GPOs, including any non-default GPOs at the domain level or Site level (if exists), that are being applied to the workstations before and after. > > 4. Post any errors in the Event logs of any of your DCs and workstations, before and after you move them from OU to OU. > > 5. Are there any firewalls blocking necessary ports between Sites, or installed on the DCs or workstations, such as the local Windows firewall or a security/AV application? Was Zone Alarm ever installed on the DCs and removed? > > 6. Are any of the DCs multihomed (more than one NIC and/or IP addresses), or RRAS installed? > > 7. Is the AD DNS domain name a single label name (such as 'domain' instead of the minimal requirement of 'domain.com,' domain.local,' etc)? > > 8. Can you remind us for this thread, how many DCs and Sites do you have, and are there still Sysvol errors, RPC or other errors, based on your previous threads? > > > I remember there were DC problems. Were they ever resolved? I don't believe you've ever posted back letting us know if the issues were resolved or not, nor have you posted any configuration information for us to better assist, such as ipconfigs or Event logs. I believe the previous problems with the DCs concerning replication, DNS zones, Sysvol issues, RPC errors, etc, are contributing or may be the basis of this problem. > > I can understand if you are reluctant to post config info. If any consolation, you can hide the names and domain names for security reasons, and no one can do anything with private IPs anyway. So anything you can provide us, will better help us coming up with a diagnosis. > > Thanks, > > -- > Ace > > This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. > > Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution. > > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT > Microsoft Certified Trainer > ace***@mvps.RemoveThisPart.org > http://twitter.com/acefekay > > For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. > Hello Taz1972,
That is an info as you realized yourself, just a warning what can happen when moving. If you have already a posting open then i suggest that you keep on that one and do not open an additional one. Maybe you can post the newsgroup and the subject of it so we can follow it. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Show quoteHide quote > When we try to move computer objects between OU's, we get the > following: > > 'moving object in active directory can prevent your system from > working in the way it was designed. Moving an OU can affect the way > gp's are applied to the accounts within the OU. Are you sure you want > to move the object?' > > OK - I don't think the message was an error but rather a warning. It > was something my collegue complained about originally, but after > having checked this myself, I think it's normal and somewhat > self-explanatory. > > Am I correct? > > The sysvol issue I posted in another thread I did reply to - we did an > authoritative restore on one of the DC's and restore an earlier copy > of sysvol from backup. > > But we are still getting ALOT of replication errors: > > 1566, 1311 and 1865 1232, 1265, 1925 1699 also generates 8453 access > denied errors on certain dc's > > We initially had 5-6 dc's, but recently we have added about half a > dozen more dc's to oue other sites. They also have dns installed on > them, which weren't created using delegations from the root .local > domain, but rather we created forward/reverse zones on the dc/dns > servers themselves. So for each site we created a zone called > <site>.company.local. We also used <site>.company.local for the dns > suffixes for the client machines for that particular site. > > So we have a root called company.local, and for each site the dns > namespace is <site>.company.local. The idea here was to organize our > network so each dc at each site is authoritative for it's zone. This > way you only replicate small changes in dns, not the whole .local > forest. > > I ran dcdiag on one the dc's the other day, and some of the errors I > got was that for each of the dc's running dns (mentioned above) it > says that it is not a valid dns server and there are also broken > delegation errors. > > Is this due to some sort of dns misconfiguration? Is it because we > simply created zones on each server and replixated them to other dc's, > instead of creating a new dns domain and delegating it for each site? > > Furthermore, each of the dc/dns server is pointing to itself as > prefered dns server and secondary dns is blank. Is this correct? We > initially pointed the server to the root DC for first-time > replication, then afterwards pointed it to itself as described above. > > Our AD sites and services is being looked at right now, because we > feel this might be one of the causes of the problem. As I understand > all sites must be connected to each other because they must replicate > to each other - so does this mean that we have to have all our 12 > sites in the 'Sites in this link' part in the site properties? Or do > they need to be organized in another manner? They are all using IP > intersite links and are bridge heads for their sites. > > We get a lot of rpc server unavailable errors on some sites - is this > due to dns problems, or maybe there is rpc filtering on the FW's? We > are asking our security people to check the FW configurations for the > latter, but they are very slow to act on this for us. > > I hope this gives enough information, if you need any more pls let me > know. Or if there is any kind of tests I need to run - please help. > > Thanks, > Taz > "Ace Fekay [Microsoft Certified Trainer]" wrote: > >> "Taz1972" <Taz1***@discussions.microsoft.com> wrote in message >> news:875C6D0F-2F84-44EB-8F9A-D04325A78D6B@microsoft.com... >> >>> Hi, >>> >>> Whenever we move a computer object from one OU to another in AD, we >>> have to rejoin it to the domain. Why is this? >>> >>> We have a fully 2003 .local domain, and having to rejoin any machine >>> we move to another OU back to the domain is a big hassle. >>> >>> So what is causing this, and how do you fix it, ie stop it from >>> happening? >>> >>> Thanks, >>> Taz >> Hi Taz, >> >> Difficult to tell without additional info. Something like this just >> doesn't normally happen without being affected by other >> circumstances, domain/DNS mis-configuration, or policy settings. >> >> 1. Please post an unedited ipconfig /all from two of your DCs and >> from a sample workstation this is happening to. >> >> 2. Please post any Event log errors on the DCs and client machines >> before and after you move them. >> >> 3. Also let use know if there is a GPO in any of the OUs you are >> moving to an from, as well as what is in the GPOs, including any >> non-default GPOs at the domain level or Site level (if exists), that >> are being applied to the workstations before and after. >> >> 4. Post any errors in the Event logs of any of your DCs and >> workstations, before and after you move them from OU to OU. >> >> 5. Are there any firewalls blocking necessary ports between Sites, or >> installed on the DCs or workstations, such as the local Windows >> firewall or a security/AV application? Was Zone Alarm ever installed >> on the DCs and removed? >> >> 6. Are any of the DCs multihomed (more than one NIC and/or IP >> addresses), or RRAS installed? >> >> 7. Is the AD DNS domain name a single label name (such as 'domain' >> instead of the minimal requirement of 'domain.com,' domain.local,' >> etc)? >> >> 8. Can you remind us for this thread, how many DCs and Sites do you >> have, and are there still Sysvol errors, RPC or other errors, based >> on your previous threads? >> >> I remember there were DC problems. Were they ever resolved? I don't >> believe you've ever posted back letting us know if the issues were >> resolved or not, nor have you posted any configuration information >> for us to better assist, such as ipconfigs or Event logs. I believe >> the previous problems with the DCs concerning replication, DNS zones, >> Sysvol issues, RPC errors, etc, are contributing or may be the basis >> of this problem. >> >> I can understand if you are reluctant to post config info. If any >> consolation, you can hide the names and domain names for security >> reasons, and no one can do anything with private IPs anyway. So >> anything you can provide us, will better help us coming up with a >> diagnosis. >> >> Thanks, >> >> -- Ace >> >> This posting is provided "AS-IS" with no warranties or guarantees and >> confers no rights. >> >> Please reply back to the newsgroup/forum to benefit from >> collaboration among responding engineers, as well as to help others >> benefit from your resolution. >> >> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT >> Microsoft Certified Trainer >> ace***@mvps.RemoveThisPart.org >> http://twitter.com/acefekay >> For urgent issues, you may want to contact Microsoft PSS directly. >> Please check http://support.microsoft.com for regional support phone >> numbers. >> Taz, read in-line below, as well as below that with additional info, please...
"Taz1972" <Taz1***@discussions.microsoft.com> wrote in message news:FE01E119-E386-4443-8B13-629B4172E1A3@microsoft.com... This is normal. > When we try to move computer objects between OU's, we get the following: > > 'moving object in active directory can prevent your system from working in > the way it was designed. Moving an OU can affect the way gp's are applied to > the accounts within the OU. Are you sure you want to move the object?' > Yep, you're correct. Check the box to not display that message again so as to not see it anymore.> OK - I don't think the message was an error but rather a warning. It was > something my collegue complained about originally, but after having checked > this myself, I think it's normal and somewhat self-explanatory. > > Am I correct? Show quoteHide quote > The sysvol issue I posted in another thread I did reply to - we did an Did you create child domains, or did you simply create additional sub domains?> authoritative restore on one of the DC's and restore an earlier copy of > sysvol from backup. > > But we are still getting ALOT of replication errors: > > 1566, 1311 and 1865 > 1232, 1265, 1925 > 1699 also generates 8453 access denied errors on certain dc's > > We initially had 5-6 dc's, but recently we have added about half a dozen > more dc's to oue other sites. They also have dns installed on them, which > weren't created using delegations from the root .local domain, but rather we > created forward/reverse zones on the dc/dns servers themselves. So for each > site we created a zone called <site>.company.local. We also used > <site>.company.local for the dns suffixes for the client machines for that > particular site. > So we have a root called company.local, and for each site the dns namespace Only changes get replicated, not the whole zone. If you only have one domain in the whole forest, then you've just complicated the matter with additional replication.> is <site>.company.local. The idea here was to organize our network so each dc > at each site is authoritative for it's zone. This way you only replicate > small changes in dns, not the whole .local forest. > I ran dcdiag on one the dc's the other day, and some of the errors I got was I'm not surprised.> that for each of the dc's running dns (mentioned above) it says that it is > not a valid dns server and there are also broken delegation errors. > Is this due to some sort of dns misconfiguration? Is it because we simply It's due to the design you put in place, which does not work with AD/DNS, assuming you only have one domain. And if you have child domains in each site, then the recommendation is to use a parent-child DNS delegation.> created zones on each server and replixated them to other dc's, instead of > creating a new dns domain and delegating it for each site? > Furthermore, each of the dc/dns server is pointing to itself as prefered dns Best practice is to point to another one as second.> server and secondary dns is blank. Is this correct? We initially pointed the > server to the root DC for first-time replication, then afterwards pointed it > to itself as described above. > Our AD sites and services is being looked at right now, because we feel this It's the DNS topology you've created that doesn't match AD's design, causing the problems.> might be one of the causes of the problem. As I understand all sites must be > connected to each other because they must replicate to each other - so does > this mean that we have to have all our 12 sites in the 'Sites in this link' > part in the site properties? Or do they need to be organized in another > manner? They are all using IP intersite links and are bridge heads for their > sites. > We get a lot of rpc server unavailable errors on some sites - is this due to From what you've posted, I believe all the problems are caused by DNS. FW could have something to do with it. Use UDPQuery from Microsoft to test if DCs respond to AD ports between DCs in other sites.> dns problems, or maybe there is rpc filtering on the FW's? We are asking our > security people to check the FW configurations for the latter, but they are > very slow to act on this for us. How to Use Portqry to Troubleshoot Active Directory Connectivity http://support.microsoft.com/kb/310456 > I hope this gives enough information, if you need any more pls let me know. This is interesting info. It is more than you gave us before, but you are still not providing ipconfig info. Udnestandble if reluctant or security conscious.> Or if there is any kind of tests I need to run - please help. > > Thanks, > Taz What I can tell you is the way you created sub zones for each site, but each site is not a child domain (e.g. you only have one AD domain), then this will not work with AD, and probably the main cause of the DNS delegation errors, replication errors, lack of communication between DCs, and all those other errors in DNS. And when a change is made in DNS, the whole zone does NOT get replicated forest wide. Only the changes. So if a workstation gets an updated IP from DHCP, only THAT IP gets replicated. This of course assumes you have one domain, one zone, and the zone's Scope is set to Forest Wide DNS. This is not the way to 'organize' your sites. If you want to do it that way, you may have well just created child domains for each site. This way it's their own Active Directory domain in each site that would have nothing to do with other sites. Then you could have created delegations for the child domain zone from the parent. This would also require two DCs per domain/site as well as other nuances such as FMSO role and GC placement. However, this is overcomplicating the matter and not required in your company, based on previous communications. If all DCs are part of the same single domain, then they must all be GCs. I would suggest to not use this design you've created your AD design. It is EXTREMEMLY complicated because of the changes to the DNS sufffixes that must be set on all machines, including the DCs, however that keeps the DCs from properly registering into DNS under the zone they belong to, hence why there are replication, and all of those other problems. If you install DCs, whether in one site, or more, and simply follow the basic rules, AD just works. If reluctant to post any additional information, which is understandable, then the only thing I can generally say as recommendation to fix this: 1. Eliminate all of those other zones you created for each site 2. Set the domain.local zone's replication Scope to Forest Wide 3. Point all DCs to this one DNS server so they will all have one common DNS so they can perform their initial communicaiton and allow replication to occur (only change the zone's scope on one DC or other issues will occur) 4. Wait for replication 5. Then on each DC, point to itself as first, and this first DC as second 6. Eliminate the additional suffixes on each site that you've created (not needed) 7. Rename each machine (not the DCs) so they reflect which site they belong to with a 2 or 3 letter prefix in the name, such as if one site is in Dallas, choose a name such as the airport code DAL, and possibly choose the username that uses it, including whether a laptop or desktop, etc, such as: dal-dafekay - this tells me that Ace Fekay is in Dallas and it is a desktop. Choose your own method - this is just a suggestion. 8. Point DNS on each site's machines to the local site first, and the corp site as second. Adjust DHCP to reflect this. 9. Install WINS. This is another topic... I'm sure there's more. If needed, with all due respect, please, please hire a local qualified and experienced consultant that is familiar with AD inside and out to sit down and discuss a course of action to get your infrastructure straightened out. I would like to see you get this straightened out. Ace Hello Taz1972,
Never heard about that. How did you realize that you have to rejoin it? What error messages/problems/symptoms do you have. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Show quoteHide quote > Hi, > > Whenever we move a computer object from one OU to another in AD, we > have to rejoin it to the domain. Why is this? > > We have a fully 2003 .local domain, and having to rejoin any machine > we move to another OU back to the domain is a big hassle. > > So what is causing this, and how do you fix it, ie stop it from > happening? > > Thanks, > Taz Hello,
Its really a weird problem never heard or seen before ? are you sure you move the users within same domain ?? Thanks 
Other interesting topics
Error on adding external smtp email to user
DC question - Single point of failure? Audting DNS A records LDAP query - can I calculate the response time? DCPROMO then change IP? 64 Bit Issue with Dual NICS on DC;s How do restore AD 2003 : procedure Active directory offline mode. AD upgrade - what changes? |
|||||||||||||||||||||||
