Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Rejoining Computers to domain
Rejoining Computers to domain [message #157296] Sun, 05 July 2009 20:57 Go to next message
Taz1972  is currently offline Taz1972
Messages: 18
Registered: October 2009
Junior Member
Hi,

Whenever we move a computer object from one OU to another in
AD, we have to rejoin it to the domain. Why is this?

We have a fully 2003 .local domain, and having to rejoin any machine we move
to another OU back to the domain is a big hassle.

So what is causing this, and how do you fix it, ie stop it from happening?

Thanks,
Taz
Re: Rejoining Computers to domain [message #157298 is a reply to message #157296] Sun, 05 July 2009 22:21 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Taz1972" <Taz1972@discussions.microsoft.com> wrote in message news:875C6D0F-2F84-44EB-8F9A-D04325A78D6B@microsoft.com...
> Hi,
>
> Whenever we move a computer object from one OU to another in
> AD, we have to rejoin it to the domain. Why is this?
>
> We have a fully 2003 .local domain, and having to rejoin any machine we move
> to another OU back to the domain is a big hassle.
>
> So what is causing this, and how do you fix it, ie stop it from happening?
>
> Thanks,
> Taz


Hi Taz,

Difficult to tell without additional info. Something like this just doesn't normally happen without being affected by other circumstances, domain/DNS mis-configuration, or policy settings.

1. Please post an unedited ipconfig /all from two of your DCs and from a sample workstation this is happening to.

2. Please post any Event log errors on the DCs and client machines before and after you move them.

3. Also let use know if there is a GPO in any of the OUs you are moving to an from, as well as what is in the GPOs, including any non-default GPOs at the domain level or Site level (if exists), that are being applied to the workstations before and after.

4. Post any errors in the Event logs of any of your DCs and workstations, before and after you move them from OU to OU.

5. Are there any firewalls blocking necessary ports between Sites, or installed on the DCs or workstations, such as the local Windows firewall or a security/AV application? Was Zone Alarm ever installed on the DCs and removed?

6. Are any of the DCs multihomed (more than one NIC and/or IP addresses), or RRAS installed?

7. Is the AD DNS domain name a single label name (such as 'domain' instead of the minimal requirement of 'domain.com,' domain.local,' etc)?

8. Can you remind us for this thread, how many DCs and Sites do you have, and are there still Sysvol errors, RPC or other errors, based on your previous threads?


I remember there were DC problems. Were they ever resolved? I don't believe you've ever posted back letting us know if the issues were resolved or not, nor have you posted any configuration information for us to better assist, such as ipconfigs or Event logs. I believe the previous problems with the DCs concerning replication, DNS zones, Sysvol issues, RPC errors, etc, are contributing or may be the basis of this problem.

I can understand if you are reluctant to post config info. If any consolation, you can hide the names and domain names for security reasons, and no one can do anything with private IPs anyway. So anything you can provide us, will better help us coming up with a diagnosis.

Thanks,

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org
http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
Re: Rejoining Computers to domain [message #157300 is a reply to message #157296] Mon, 06 July 2009 01:21 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Taz1972,

Never heard about that. How did you realize that you have to rejoin it? What
error messages/problems/symptoms do you have.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi,
>
> Whenever we move a computer object from one OU to another in AD, we
> have to rejoin it to the domain. Why is this?
>
> We have a fully 2003 .local domain, and having to rejoin any machine
> we move to another OU back to the domain is a big hassle.
>
> So what is causing this, and how do you fix it, ie stop it from
> happening?
>
> Thanks,
> Taz
Re: Rejoining Computers to domain [message #157304 is a reply to message #157300] Mon, 06 July 2009 03:05 Go to previous messageGo to next message
Syed Khairuddin  is currently offline Syed Khairuddin  Saudi Arabia
Messages: 77
Registered: June 2009
Member
Hello,

Its really a weird problem never heard or seen before ? are you
sure you move the users within same domain ??

Thanks
Re: Rejoining Computers to domain [message #157382 is a reply to message #157298] Tue, 07 July 2009 09:38 Go to previous messageGo to next message
Taz1972  is currently offline Taz1972
Messages: 18
Registered: October 2009
Junior Member
When we try to move computer objects between OU's, we get the following:

'moving object in active directory can prevent your system from working in
the way it was designed. Moving an OU can affect the way gp's are applied to
the accounts within the OU. Are you sure you want to move the object?'

OK - I don't think the message was an error but rather a warning. It was
something my collegue complained about originally, but after having checked
this myself, I think it's normal and somewhat self-explanatory.

Am I correct?

The sysvol issue I posted in another thread I did reply to - we did an
authoritative restore on one of the DC's and restore an earlier copy of
sysvol from backup.

But we are still getting ALOT of replication errors:

1566, 1311 and 1865
1232, 1265, 1925
1699 also generates 8453 access denied errors on certain dc's

We initially had 5-6 dc's, but recently we have added about half a dozen
more dc's to oue other sites. They also have dns installed on them, which
weren't created using delegations from the root .local domain, but rather we
created forward/reverse zones on the dc/dns servers themselves. So for each
site we created a zone called <site>.company.local. We also used
<site>.company.local for the dns suffixes for the client machines for that
particular site.

So we have a root called company.local, and for each site the dns namespace
is <site>.company.local. The idea here was to organize our network so each dc
at each site is authoritative for it's zone. This way you only replicate
small changes in dns, not the whole .local forest.

I ran dcdiag on one the dc's the other day, and some of the errors I got was
that for each of the dc's running dns (mentioned above) it says that it is
not a valid dns server and there are also broken delegation errors.

Is this due to some sort of dns misconfiguration? Is it because we simply
created zones on each server and replixated them to other dc's, instead of
creating a new dns domain and delegating it for each site?

Furthermore, each of the dc/dns server is pointing to itself as prefered dns
server and secondary dns is blank. Is this correct? We initially pointed the
server to the root DC for first-time replication, then afterwards pointed it
to itself as described above.

Our AD sites and services is being looked at right now, because we feel this
might be one of the causes of the problem. As I understand all sites must be
connected to each other because they must replicate to each other - so does
this mean that we have to have all our 12 sites in the 'Sites in this link'
part in the site properties? Or do they need to be organized in another
manner? They are all using IP intersite links and are bridge heads for their
sites.

We get a lot of rpc server unavailable errors on some sites - is this due to
dns problems, or maybe there is rpc filtering on the FW's? We are asking our
security people to check the FW configurations for the latter, but they are
very slow to act on this for us.

I hope this gives enough information, if you need any more pls let me know.
Or if there is any kind of tests I need to run - please help.

Thanks,
Taz



"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "Taz1972" <Taz1972@discussions.microsoft.com> wrote in message news:875C6D0F-2F84-44EB-8F9A-D04325A78D6B@microsoft.com...
> > Hi,
> >
> > Whenever we move a computer object from one OU to another in
> > AD, we have to rejoin it to the domain. Why is this?
> >
> > We have a fully 2003 .local domain, and having to rejoin any machine we move
> > to another OU back to the domain is a big hassle.
> >
> > So what is causing this, and how do you fix it, ie stop it from happening?
> >
> > Thanks,
> > Taz
>
>
> Hi Taz,
>
> Difficult to tell without additional info. Something like this just doesn't normally happen without being affected by other circumstances, domain/DNS mis-configuration, or policy settings.
>
> 1. Please post an unedited ipconfig /all from two of your DCs and from a sample workstation this is happening to.
>
> 2. Please post any Event log errors on the DCs and client machines before and after you move them.
>
> 3. Also let use know if there is a GPO in any of the OUs you are moving to an from, as well as what is in the GPOs, including any non-default GPOs at the domain level or Site level (if exists), that are being applied to the workstations before and after.
>
> 4. Post any errors in the Event logs of any of your DCs and workstations, before and after you move them from OU to OU.
>
> 5. Are there any firewalls blocking necessary ports between Sites, or installed on the DCs or workstations, such as the local Windows firewall or a security/AV application? Was Zone Alarm ever installed on the DCs and removed?
>
> 6. Are any of the DCs multihomed (more than one NIC and/or IP addresses), or RRAS installed?
>
> 7. Is the AD DNS domain name a single label name (such as 'domain' instead of the minimal requirement of 'domain.com,' domain.local,' etc)?
>
> 8. Can you remind us for this thread, how many DCs and Sites do you have, and are there still Sysvol errors, RPC or other errors, based on your previous threads?
>
>
> I remember there were DC problems. Were they ever resolved? I don't believe you've ever posted back letting us know if the issues were resolved or not, nor have you posted any configuration information for us to better assist, such as ipconfigs or Event logs. I believe the previous problems with the DCs concerning replication, DNS zones, Sysvol issues, RPC errors, etc, are contributing or may be the basis of this problem.
>
> I can understand if you are reluctant to post config info. If any consolation, you can hide the names and domain names for security reasons, and no one can do anything with private IPs anyway. So anything you can provide us, will better help us coming up with a diagnosis.
>
> Thanks,
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
>
> Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
> aceman@mvps.RemoveThisPart.org
> http://twitter.com/acefekay
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
>
Re: Rejoining Computers to domain [message #157384 is a reply to message #157382] Tue, 07 July 2009 09:52 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Taz1972,

That is an info as you realized yourself, just a warning what can happen
when moving.

If you have already a posting open then i suggest that you keep on that one
and do not open an additional one. Maybe you can post the newsgroup and the
subject of it so we can follow it.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> When we try to move computer objects between OU's, we get the
> following:
>
> 'moving object in active directory can prevent your system from
> working in the way it was designed. Moving an OU can affect the way
> gp's are applied to the accounts within the OU. Are you sure you want
> to move the object?'
>
> OK - I don't think the message was an error but rather a warning. It
> was something my collegue complained about originally, but after
> having checked this myself, I think it's normal and somewhat
> self-explanatory.
>
> Am I correct?
>
> The sysvol issue I posted in another thread I did reply to - we did an
> authoritative restore on one of the DC's and restore an earlier copy
> of sysvol from backup.
>
> But we are still getting ALOT of replication errors:
>
> 1566, 1311 and 1865 1232, 1265, 1925 1699 also generates 8453 access
> denied errors on certain dc's
>
> We initially had 5-6 dc's, but recently we have added about half a
> dozen more dc's to oue other sites. They also have dns installed on
> them, which weren't created using delegations from the root .local
> domain, but rather we created forward/reverse zones on the dc/dns
> servers themselves. So for each site we created a zone called
> <site>.company.local. We also used <site>.company.local for the dns
> suffixes for the client machines for that particular site.
>
> So we have a root called company.local, and for each site the dns
> namespace is <site>.company.local. The idea here was to organize our
> network so each dc at each site is authoritative for it's zone. This
> way you only replicate small changes in dns, not the whole .local
> forest.
>
> I ran dcdiag on one the dc's the other day, and some of the errors I
> got was that for each of the dc's running dns (mentioned above) it
> says that it is not a valid dns server and there are also broken
> delegation errors.
>
> Is this due to some sort of dns misconfiguration? Is it because we
> simply created zones on each server and replixated them to other dc's,
> instead of creating a new dns domain and delegating it for each site?
>
> Furthermore, each of the dc/dns server is pointing to itself as
> prefered dns server and secondary dns is blank. Is this correct? We
> initially pointed the server to the root DC for first-time
> replication, then afterwards pointed it to itself as described above.
>
> Our AD sites and services is being looked at right now, because we
> feel this might be one of the causes of the problem. As I understand
> all sites must be connected to each other because they must replicate
> to each other - so does this mean that we have to have all our 12
> sites in the 'Sites in this link' part in the site properties? Or do
> they need to be organized in another manner? They are all using IP
> intersite links and are bridge heads for their sites.
>
> We get a lot of rpc server unavailable errors on some sites - is this
> due to dns problems, or maybe there is rpc filtering on the FW's? We
> are asking our security people to check the FW configurations for the
> latter, but they are very slow to act on this for us.
>
> I hope this gives enough information, if you need any more pls let me
> know. Or if there is any kind of tests I need to run - please help.
>
> Thanks,
> Taz
> "Ace Fekay [Microsoft Certified Trainer]" wrote:
>
>> "Taz1972" <Taz1972@discussions.microsoft.com> wrote in message
>> news:875C6D0F-2F84-44EB-8F9A-D04325A78D6B@microsoft.com...
>>
>>> Hi,
>>>
>>> Whenever we move a computer object from one OU to another in AD, we
>>> have to rejoin it to the domain. Why is this?
>>>
>>> We have a fully 2003 .local domain, and having to rejoin any machine
>>> we move to another OU back to the domain is a big hassle.
>>>
>>> So what is causing this, and how do you fix it, ie stop it from
>>> happening?
>>>
>>> Thanks,
>>> Taz
>> Hi Taz,
>>
>> Difficult to tell without additional info. Something like this just
>> doesn't normally happen without being affected by other
>> circumstances, domain/DNS mis-configuration, or policy settings.
>>
>> 1. Please post an unedited ipconfig /all from two of your DCs and
>> from a sample workstation this is happening to.
>>
>> 2. Please post any Event log errors on the DCs and client machines
>> before and after you move them.
>>
>> 3. Also let use know if there is a GPO in any of the OUs you are
>> moving to an from, as well as what is in the GPOs, including any
>> non-default GPOs at the domain level or Site level (if exists), that
>> are being applied to the workstations before and after.
>>
>> 4. Post any errors in the Event logs of any of your DCs and
>> workstations, before and after you move them from OU to OU.
>>
>> 5. Are there any firewalls blocking necessary ports between Sites, or
>> installed on the DCs or workstations, such as the local Windows
>> firewall or a security/AV application? Was Zone Alarm ever installed
>> on the DCs and removed?
>>
>> 6. Are any of the DCs multihomed (more than one NIC and/or IP
>> addresses), or RRAS installed?
>>
>> 7. Is the AD DNS domain name a single label name (such as 'domain'
>> instead of the minimal requirement of 'domain.com,' domain.local,'
>> etc)?
>>
>> 8. Can you remind us for this thread, how many DCs and Sites do you
>> have, and are there still Sysvol errors, RPC or other errors, based
>> on your previous threads?
>>
>> I remember there were DC problems. Were they ever resolved? I don't
>> believe you've ever posted back letting us know if the issues were
>> resolved or not, nor have you posted any configuration information
>> for us to better assist, such as ipconfigs or Event logs. I believe
>> the previous problems with the DCs concerning replication, DNS zones,
>> Sysvol issues, RPC errors, etc, are contributing or may be the basis
>> of this problem.
>>
>> I can understand if you are reluctant to post config info. If any
>> consolation, you can hide the names and domain names for security
>> reasons, and no one can do anything with private IPs anyway. So
>> anything you can provide us, will better help us coming up with a
>> diagnosis.
>>
>> Thanks,
>>
>> -- Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Please reply back to the newsgroup/forum to benefit from
>> collaboration among responding engineers, as well as to help others
>> benefit from your resolution.
>>
>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
>> Microsoft Certified Trainer
>> aceman@mvps.RemoveThisPart.org
>> http://twitter.com/acefekay
>> For urgent issues, you may want to contact Microsoft PSS directly.
>> Please check http://support.microsoft.com for regional support phone
>> numbers.
>>
Re: Rejoining Computers to domain [message #157422 is a reply to message #157382] Tue, 07 July 2009 11:07 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
Taz, read in-line below, as well as below that with additional info, please...

"Taz1972" <Taz1972@discussions.microsoft.com> wrote in message news:FE01E119-E386-4443-8B13-629B4172E1A3@microsoft.com...
> When we try to move computer objects between OU's, we get the following:
>
> 'moving object in active directory can prevent your system from working in
> the way it was designed. Moving an OU can affect the way gp's are applied to
> the accounts within the OU. Are you sure you want to move the object?'

This is normal.
>
> OK - I don't think the message was an error but rather a warning. It was
> something my collegue complained about originally, but after having checked
> this myself, I think it's normal and somewhat self-explanatory.
>
> Am I correct?

Yep, you're correct. Check the box to not display that message again so as to not see it anymore.


> The sysvol issue I posted in another thread I did reply to - we did an
> authoritative restore on one of the DC's and restore an earlier copy of
> sysvol from backup.
>
> But we are still getting ALOT of replication errors:
>
> 1566, 1311 and 1865
> 1232, 1265, 1925
> 1699 also generates 8453 access denied errors on certain dc's
>
> We initially had 5-6 dc's, but recently we have added about half a dozen
> more dc's to oue other sites. They also have dns installed on them, which
> weren't created using delegations from the root .local domain, but rather we
> created forward/reverse zones on the dc/dns servers themselves. So for each
> site we created a zone called <site>.company.local. We also used
> <site>.company.local for the dns suffixes for the client machines for that
> particular site.

Did you create child domains, or did you simply create additional sub domains?


> So we have a root called company.local, and for each site the dns namespace
> is <site>.company.local. The idea here was to organize our network so each dc
> at each site is authoritative for it's zone. This way you only replicate
> small changes in dns, not the whole .local forest.

Only changes get replicated, not the whole zone. If you only have one domain in the whole forest, then you've just complicated the matter with additional replication.


> I ran dcdiag on one the dc's the other day, and some of the errors I got was
> that for each of the dc's running dns (mentioned above) it says that it is
> not a valid dns server and there are also broken delegation errors.

I'm not surprised.


> Is this due to some sort of dns misconfiguration? Is it because we simply
> created zones on each server and replixated them to other dc's, instead of
> creating a new dns domain and delegating it for each site?

It's due to the design you put in place, which does not work with AD/DNS, assuming you only have one domain. And if you have child domains in each site, then the recommendation is to use a parent-child DNS delegation.


> Furthermore, each of the dc/dns server is pointing to itself as prefered dns
> server and secondary dns is blank. Is this correct? We initially pointed the
> server to the root DC for first-time replication, then afterwards pointed it
> to itself as described above.

Best practice is to point to another one as second.


> Our AD sites and services is being looked at right now, because we feel this
> might be one of the causes of the problem. As I understand all sites must be
> connected to each other because they must replicate to each other - so does
> this mean that we have to have all our 12 sites in the 'Sites in this link'
> part in the site properties? Or do they need to be organized in another
> manner? They are all using IP intersite links and are bridge heads for their
> sites.

It's the DNS topology you've created that doesn't match AD's design, causing the problems.


> We get a lot of rpc server unavailable errors on some sites - is this due to
> dns problems, or maybe there is rpc filtering on the FW's? We are asking our
> security people to check the FW configurations for the latter, but they are
> very slow to act on this for us.

From what you've posted, I believe all the problems are caused by DNS. FW could have something to do with it. Use UDPQuery from Microsoft to test if DCs respond to AD ports between DCs in other sites.

How to Use Portqry to Troubleshoot Active Directory Connectivity
http://support.microsoft.com/kb/310456


> I hope this gives enough information, if you need any more pls let me know.
> Or if there is any kind of tests I need to run - please help.
>
> Thanks,
> Taz

This is interesting info. It is more than you gave us before, but you are still not providing ipconfig info. Udnestandble if reluctant or security conscious.

What I can tell you is the way you created sub zones for each site, but each site is not a child domain (e.g. you only have one AD domain), then this will not work with AD, and probably the main cause of the DNS delegation errors, replication errors, lack of communication between DCs, and all those other errors in DNS.

And when a change is made in DNS, the whole zone does NOT get replicated forest wide. Only the changes. So if a workstation gets an updated IP from DHCP, only THAT IP gets replicated. This of course assumes you have one domain, one zone, and the zone's Scope is set to Forest Wide DNS.

This is not the way to 'organize' your sites. If you want to do it that way, you may have well just created child domains for each site. This way it's their own Active Directory domain in each site that would have nothing to do with other sites. Then you could have created delegations for the child domain zone from the parent. This would also require two DCs per domain/site as well as other nuances such as FMSO role and GC placement. However, this is overcomplicating the matter and not required in your company, based on previous communications.

If all DCs are part of the same single domain, then they must all be GCs.

I would suggest to not use this design you've created your AD design. It is EXTREMEMLY complicated because of the changes to the DNS sufffixes that must be set on all machines, including the DCs, however that keeps the DCs from properly registering into DNS under the zone they belong to, hence why there are replication, and all of those other problems. If you install DCs, whether in one site, or more, and simply follow the basic rules, AD just works.

If reluctant to post any additional information, which is understandable, then the only thing I can generally say as recommendation to fix this:

1. Eliminate all of those other zones you created for each site

2. Set the domain.local zone's replication Scope to Forest Wide

3. Point all DCs to this one DNS server so they will all have one common DNS so they can perform their initial communicaiton and allow replication to occur (only change the zone's scope on one DC or other issues will occur)

4. Wait for replication

5. Then on each DC, point to itself as first, and this first DC as second

6. Eliminate the additional suffixes on each site that you've created (not needed)

7. Rename each machine (not the DCs) so they reflect which site they belong to with a 2 or 3 letter prefix in the name, such as if one site is in Dallas, choose a name such as the airport code DAL, and possibly choose the username that uses it, including whether a laptop or desktop, etc, such as:
dal-dafekay - this tells me that Ace Fekay is in Dallas and it is a desktop. Choose your own method - this is just a suggestion.

8. Point DNS on each site's machines to the local site first, and the corp site as second. Adjust DHCP to reflect this.

9. Install WINS. This is another topic...

I'm sure there's more. If needed, with all due respect, please, please hire a local qualified and experienced consultant that is familiar with AD inside and out to sit down and discuss a course of action to get your infrastructure straightened out.

I would like to see you get this straightened out.

Ace
Previous Topic:Replace sIDHistory
Next Topic:Windows Security Log
Goto Forum:
  


Current Time: Fri Oct 20 10:13:56 EDT 2017

Total time taken to generate the page: 0.03184 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software