In order to reorganize an Active Directory forest, with multiple child domains into a single domain, I used the ADMT (Active Directory Migration Tool) 3.2 from Microsoft. This modification is an intraforest migration because all domains are in the same forest.
While ADMT supports an intraforest migration, I encountered a specific issue for migrated computers from a child domain to the parent domain: “The security database on the server does not have a computer account for this workstation trust relationship“
Security database trust relationship
Well, I was very perplex by this error, because the ADMT agent reported an successfully operation, and the computer account existed in the new Active Directory domain.
In fact, you will get this error each time you want to migrate a computer with an intraforest and the target operating system is Windows Server 2012 R2. Let’s see why and how to resolve this issue.
Microsoft released the Cumulative Update 11 for Exchange 2013 and Exchange 2016 CU1 in December 2015. With these new packages, they changed the behavior of Exchange Management Shell, (Exchange Powershell).
Prior to 2013 CU11 and 2016 CU1, when you start the EMS, it will connect by default to the local Exchange Server. But with CU11, Exchange Powershell will be proxy to the server where the user’s mailbox is located. It means that when you start the EMS console, it will probably try to connect to another server.
When all your servers are up to date, in some circonstances, you can get an error when launching the EMS: “No mapping for the Unicode character exists in the target”:
Mapping Unicode error
If you get this error, do not panic and stay calm :). You can find some posts where you need to rebuild the powershell virtual directory, but do not do this! Let’s see how to resolve this issue easily.
When you are deploying a “big” software update like KB2919355, with System Center Configuration Manager, you can have the error code 0x800f0821 on some computers.
The computer receives the update, downloads it and starts to install it but the installation will fail.
Installation failed 0x800f0821
This error is raised because the execution time was reached. Depends on computers and servers, you may or not have this error on all SCCM clients.
Let’s see how to change the configuration in SCCM.
If you try to setup IPAM, you can get an error during the provisioning IPAM server step.
“Provisioning IPAM has failed. Check inner exception for more details. Some or all identity references could not be translated”
IPAM Provisioning failed
This error is raised because you try to provision it on a Domain Controller. By design IPAM can not be installed on a DC.
On Technet, Microsoft writes:
An IPAM server is a domain member computer.
|You cannot install the IPAM feature on an Active Directory domain controller.
You could get more information here.
In Exchange Server 2013, I got one backup issue with Veeam Backup, but the problem occurs with all VSS backup solutions. I was able to reproduce the issue with Windows Server backup role.
In fact, when I checked the mailbox database folder, all transactions logs were not deleted after the backup, even if the backup is reported as successful.
VSS Backup logs not deleted
With Active Directory, you can deploy some Internet Explorer configuration using Group Policy (GPO). But sometime, settings for Internet Explorer are not modified, even if the GPO is correctly applied.
This behavior is not a bug, it’s a feature 🙂 When IE Security is enabled, GPO can’t change configuration for Internet Explorer.
When you want to deploy an autodiscover proxy configuration for your clients, you can use WPAD with DNS.
However Windows Server DNS can reply non-existent domain for an wpad domain name request.
WPAD record in DNS
Non Existant domain
This behavior is by default and can be decomposed in two parts:
- If WPAD configuration is already in place when you install the DNS server, no action is required.
- When you want to set up a new WPAD configuration after DNS installation, you need to edit the block list on all your DNS servers.
With System Center Configuration Manager 2012, there is a new functionality: Application Catalog. Using Application Catalog, you can deploy an application on user collection, and all users can use this web page to install or request an application.
To launch the Application Catalog, you can use the existing link on Software Center:
Link Software center
Depends on your system configuration, Internet Explorer can prompt for your login / password. Even if you are in your domain.
During the installation of Microsoft SQL Server, you have two choices regarding the account used to start the “SQL Server” service:
- Local System of the computer.
- Service account, user account, created in Active Directory.
Microsoft recommends to use the service account instead of local system. However, when using service account, you can have this error in SQL Logs:
The SQL Server Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service. Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos
During the migration phase of SCCM 2007 clients to SCCM 2012 infrastructure, I had an issue with the Software Update Point: a lot of computers not reported their Software Update compliance and didn’t evaluated any new software updates.
After a troubleshooting, in the WUAhandler.log on client side, there was this error:
OnSearchComplete - Failed to end search job. Error = 0x80244022.
Scan failed with error = 0x80244022.