Adding the ESX/ESXi host to an Active Directory domain fails with the error “Errors in Active Directory operations”

VMware
When adding a 4.1 ESX/ESXi host to an Active Directory domain it fails or whilst adding you receive an error "Errors in Active Directory operations". If you have netlogond enabled on the host, you can check to see if you have similar entries in the netlogond.log: 20100820075107:0xf7c74b90:DEBUG:[LWNetSrvGetCurrentDomain () /build/mts/release/bora-234910/likewise/esxi- esxi/src/linux/netlogon/server/api/lwnet-pstore.c:83] Error  at /build/mts/release/bora-234910/likewise/esxi- esxi/src/linux/netlogon/server/api/lwnet-pstore.c:83 [code: 136] The issue is more than likely down to TCP/UDP ports not open between the ESX/ESXi host and Active Directory server. Make sure you have the following TCP and UDP ports open:- Required (TCP and UDP) ports are Port 88  - Kerberos authentication Port 123 – NTP Port 135 - RPC Port 137 - NetBIOS Name Service Port 139 - NetBIOS Session Service (SMB) Port 389 - LDAP Port 445 - Microsoft-DS Active Directory, Windows shares (SMB over TCP) Port 464 - Kerberos - change/password changes Port 3268-…
Read More

Configuring Windows Time for Active Directory

Microsoft
Over recent years I have noticed that Windows time configuration is sometimes overlooked and misconfigured and at some point may cause you major hassles. For anyone not aware, all machines in an Active Directory environment automatically find a time server to sync time with. Workstations use their authenticating Domain Controller, and the DCs sync with the server holding the PDC Emulator FSMO role. In a multi-domain forest, the PDC Emulator in each child domain synchronises with a DC or the PDC Emulator in the forest root domain. To ensure the time remains reliable across the forest, only the PDC Emulator in the forest root domain should ever sync with an external time source – this leads to only one source of time being used across the forest. (more…)
Read More

Transfer/Seize FSMO Roles to Windows Server 2012 Using Powershell

Microsoft
Following information explains the Active Directory FSMO roles transfer process using powershell cmdlets. If FSMO role holder DC goes under upgradation process or down, we think about FSMO roles as its important and we know the traditional NTDSUTIL way of transferring and seizing FSMO roles which takes few minutes. However, using the power shell this is relatively easy and completes within few seconds. Powershell command :  Move-ADDirectoryServerOperationMasterRole Transfering all 5 FSMO roles syntax: Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_name” –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster If target DC name is ADC, use below command to transfer all FSMO roles: Move-ADDirectoryServerOperationMasterRole -Identity “ADC” –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster Role numbers can be used in command instead of role names. Transfer all 5 FSMO roles using numbers: Move-ADDirectoryServerOperationMasterRole -Identity “ADC” –OperationMasterRole 0,1,2,3,4 If FSMO role owner is permanently offline, seize FSMO roles using below command, just add –Force parameter. Sezing FSMO roles syntax: Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_name” –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster -Force  Command: Move-ADDirectoryServerOperationMasterRole -Identity “ADC” –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster –Force…
Read More

Active Directory schema version numbers

Microsoft
I thought it would be a good idea to share with you a list of Active Directory schema version numbers Windows 2000 RTM with all Service packs = Schema version 13 Windows Server 2003 RTM with all Service packs = Schema version 30 Windows Server 2003 R2 RTM with all Service packs = Schema version 31 Windows Server 2008 RTM with all Service packs = Schema version 44 Windows Server 2008 R2 RTM with all Service packs = Schema version 47 Windows Server 2012 RC = Schema version 56 You can check the version with one of the following methods. Registry: HKLMSYSTEMCurrentControlSetServicesNTDSParameters<Schema Version> dsquery: dsquery * CN=Schema,CN=Configuration,DC=Root-Domain -Scope Base -attr objectVersion ADSIEdit: open ADSIEdit and navigate to "CN=Schema,CN=Configuration,DC=domain,DC=local", right-click "Properties" and locate "objectVersion" attribute value
Read More