Hi all,

I am trying to demote a Server 2008 R2 Domain Controller. When I run dcpromo and go through the steps to demote it end with the error:
The operation failed because: Active Directory Domain Services could not transfer the remaining data in the directory partition. 

I've checked the FSMO roles and they are all on the correct DC which is staying and not being removed.

I've also checked the event log and get the following errors. Does anyone have an easy step by step way of correcting this?

The operations master roles held by this directory server could not transfer to the following remote directory server. 

Remote directory server: 
\\Servername.domainname.com 

This is preventing removal of this directory server. ------  

Ownership of the following FSMO role is set to a server which is deleted or does not exist. 

Operations which require contacting a FSMO operation master will fail until this condition is corrected. 

FSMO Role: CN=Infrastructure,DC=ForestDnsZones,DC=domainname,DC=com 
FSMO Server DN: CN=NTDS Settings\0ADEL:f2dc2791-2596-4619-891f-fbb7b74d8ab7,CN=SERVER2\0ADEL:f1430942-c7c6-4938-97a3-4a68e65cbdca,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainname,DC=com 

Hi,

3 domain controllers, 2 in site A, 1 in site B

We have replaced our domain controller in site B, so it is now running Windows Server 2016. All replication seems fine, and can not see anything spesific error in dcdiag or repadmin.

But when we run the command "Nltest /dsregdns" we are getting this error

********************

C:\Windows\system32>Nltest /dsregdns
Flags: 0
Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully

C:\Windows\system32>

********************

I read another question on the forum that the problem had solved it selft after a couple of days, but now our domain controller has not been rebooted for 4 days, so I guess it will not self heal itself :)

The domain controller is pointing to itself for DNS, it is a global catalog (all servers in the domain are).
The DNS service is running and will permit me to ping other domain controllers.

The other 2 domain controllers are reporting ok on the command

********************

PS C:\Windows\system32> Nltest /dsregdns
Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully
PS C:\Windows\system32>
********************

Suggestions ?

/Regards Andreas

Hello!

How to add computer account to Authentication authority asserted identity security group?

Thank you!

Pulling my hair out for this.

We have a user that is trying to connect to our Azure platform to use our software, they log into a web portal and use the published apps to open a remote connection to our software on azure. we have 400+ clients daily that log onto this with not issues, this specific client/user when logging into the portal and selecting a published app they are prompted to open a connection, selecting connect then asks for credentials which should not happen and displays the message Logon attempt failed.

When it asks for credentials again even if you type in the correct password it does not authenticate and produces the same error of logon attempt failed. I have tried some of the following trouble shooting already with no luck what so ever.

• Checked netstat -an for listening tcp port 3389
• firewall has been disabled
• Allowencryptionoracle (already setup)
• allow delegating saved credentials with NTLM- only server authentication
• tried setting up remote resources through control panel same effect
• tried to log into portal via google chrome and downloading the .rdp file same effect
• editing .rdp file to add "enablecredsspsupport:i:0" "authetication level:i:2" however this just corrupts the .rdp file as the .rdp can only be edited in that the existing values are changed to prevent 3rd party's from intercepting the rdp link.
• I have also tried installing the Microsoft remote desktop app on the system and then setup the connection via remote resources, this trys to establish a connection but comes back as a failure but does not specify.
• The only error i can see on event viewer is regarding Stored credentials, i have tried to find any stored credentials on the system to no avail. This includes any information stored within the registry and the file location

I believe there is some other trouble shooting that i have tried however can not remember of the top of my head.T

Any guidance is highly appreciated. 

Hello all,

We are planning to raise the Domain Functional Level of 4 child domains and the Forest Functional Level of their root domain from version 2003 to 2008 R2, then subsequently 2012 R2. We have a Windows Certificate Authority within the root that is installed on a 2012 R2 server. The template versions are mostly old (v1 and v2).

Can anyone advise what automatic changes the act of raising the DFLs/FFL will have on the template schema versions? I.e. After I've hit the button (and assuming I make no manual changes to the templates themselves), can I expect anyAUTOMATIC changes to these template versions, or will that be my own (manual) responsibility? Cannot locate any material from MS on this.

Hi All,

I`m looking how to create and setup the password filer dll on AD 2016, I`ve seen Microsoft documentation but helpless 

https://docs.microsoft.com/en-us/windows/desktop/secmgmt/installing-and-registering-a-password-filter-dll

I`m wondering of this is still applicable and supported by Microsoft.

Appreciate if someone did this before and can help, I know they`re paid software to do this but I though if we can get it without paying...

Kassemf

I have a new 2012R2 Server that I have installed AD DS on which is also hosting the forest. I have an another Windows 2012R2 server that I am attaching to that existing forest and getting the following error message:The functional level of the forest is incompatible with this operating system

The domain and forest functional level of primary domain is Windows 2012R2 still getting the error.

Please help on this issue

Thank you

Avinash Udawant

Hi there,

I have a question regarding putting domain controllers in place.  I just started working for a company with 40 employees. I do have some experience with DCs however I never architect one. We don’t have any servers in the environment yet, so we want to start with having a domain controller in place. We are thinking about putting it in AWS. I read few articles and also did an installation of Forest, domain and Child domain controllers at home in my test environment. I want to move forward with putting domain controller system in place. In an environment like ours which may double in next 5 years, I am wondering if I need to put 2 forest servers also in place or can I simply start with putting two domain controllers and not worry about Forest? Please let me know!  Thanks!KS

I have been tasked with designing an AD test environment with some special requests.  A little background first.  My client is about to implement Oracle IAM and would like to test the integration with AD and Exchange as close as possible to the production environment. They have previously tried to stage the test environment from a production environment but had a few mis-haps as the new objects were written to the AD and exchange...etc.

So, they would like to be able to write to the AD without affecting the production AD. Yet, they want to be able to replicate the test AD to an AD that is located in the production environment. Also they do not want the exchange users in the production network to see test network exchange users. I know it is possible to hide these but there are so many users and the people doing the implementation do not want to go that direction.

My first thought was to setup a child domain but then, if I am correct, the child domain DC and parent domain DC will replicate to eachother?

My other though was to setup a seperate domain. The thing I am uncertain of here is that both domains will be using the same network hardware (separated by VLANS) and same internet connection.  I am not sure if this will affect the production domain but my initial reaction is that the pointing the two domains to one internet connection will cause issues? however setting up a seperate internet connection will not be an issue, but then is this whole requirement for replicating to an AD in the production network.  Personally I don't think it will be possible to meet the replication requirement.

I have not dealt with AD for a while as I have mainly been involved with networking so this is very exciting stuff for me as well as nerve-wrecking.

Servers in use:

• Windows Server 2008
• Windows Server 2003
• Exchange Server 2010

Any other suggestions on how to design this would be very much welcome. Please provide links and or documentation if at all possible.

Thanks in advance.

I’ve done a few of these already that were successful but ran a <g class="gr_ gr_10 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" data-gr-id="10" id="10">dcdiag</g> today and saw something that stood out. It’s a small environment that had a single SBS 2008 server that it 90% migrated over to a new DC (Server 2106). So far the shares have been moved and working great, GPO’s are applied and working, DHCP and DNS are working on the new server and two days ago I finally moved the 5 FSMO roles. At this point, there is nothing left on the old SBS so my next step is to demote to a member and the remove AD from it to decommission it.

I notice when I run a gpreult /r on a workstation that it’s still applied from the old server. Also it seems the netlogon and sysvol folders on the Server 2016 are not shared. I don't remember  to ever manually share them. Any idea what I may have missed? Seems to not be replicated with the old SBS. I can ping RI-SERVER (old) from RIDC (new) fine and also browse shares

Good day:

I have a question regarding the recovery process of a domain controller that's disconnected from the AD environment for an extended period of time.

Background:

We have four sites, each with a domain controller. One of the sites is a hub site that hosts our data center, and the FSMO role holder DCs reside at that site. A second site is our Disaster recovery site for the hub site, and has a single active DC (it's a 'warm site' style DR configuration). The other two branch sites have a single domain controller which is a GC server in order to process logins for that site, along with local DNS services.  We use DFS-N to point user's home folders and department shares to a set of file servers at the hub site, and DFS-R to replicate changes to one of the branch sites which acts as our disaster recovery site for the hub site.

The problem:

We recently had one branch site taken offline due to a natural disaster which effectively destroyed the site's main power entrance; As part of my efforts to protect the integrity of the remaining sites, I've removed the offline site's domain controller from DNS (name server and A record), set the site link cost as expensive as the UI would permit, and removed it as a DFS referral server.  The event occurred just under a month ago.

The question:

What are my options when we restore network connectivity and power to the down site? Can I just bring the domain controller back up and let it re-synchronize a month's of delta after un-doing my protective changes, or do I need to DCPROMO the domain controller out of the environment and either promo it back in or re-build the server entirely?

This question is based on the below article,

https://docs.microsoft.com/en-us/powershell/module/addsadministration/new-adserviceaccount?view=win10-ps

As per the example the usage will look like below for gMSA accounts,
New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames @{Add='MSSQLSvc/sqlserver.xxxxxxx.com:GMSA','MSSQLSvc/sqlserver.xxxxxxx.com:<port#>'} -DNSHostName gMSAsqlservice.xxxxxxx.com -PrincipalsAllowedToRetrieveManaged SQL_gMSA_group

We always get the below error,

New-ADServiceAccount : The name reference is invalid
At line:1 char:1
+ New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames @{Add="MSSQLSvc/sql ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=gMSAsqlservice,CN=Man...=xxxxxxx,DC=com:String) [New-ADServiceAccount], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8373,Microsoft.ActiveDirectory.Management.Commands.NewADServiceAccount

Was able to fix the issue using the below format. Not sure if the approach was correct but SPNs did get auto-registered in SQL Server.

New-ADServiceAccount gMSAsqlservice -ServicePrincipalNames ("MSSQLSvc/sqlserver.xxxxxxx.com:GMSA","MSSQLSvc/sqlserver.xxxxxxx.com:<port#>") -DNSHostName gMSAsqlservice.xxxxxxx.com PrincipalsAllowedToRetrieveManaged SQL_gMSA_group
************************************************************************************************************
Questions :
*****************************************
1> Which is the correct syntax to create gMSA using -ServicePrincipalNames ?
2> In the above example I have just used one server SPNs[ie., sqlserver]. But when we have several servers added to the gMSA Security Group, how do we use -ServicePrincipalNames?

I feel we need to have more elaborate explanations to the -ServicePrincipalNames.

Hi Technet,

I'm currently in the process of setting up a new subordinate CA. We're using our current OpenSSL root CA to sign the CSR for our Windows Subordinate CA. Unfortunately we're having a few issues with duplicate subordinate certificates. So far i've:

1) I setup the host and created a CSR which was passed over to be signed via the Root CA
2) The root CA signed the CSR and set http locations for AIA and CRL
3) The signed CSR was then uploaded onto the subordinate CA

Unfortunately, once uploaded we found that there were a few issues with the CRL location, so the original CSR was resigned with the new CRL location set and then uploaded to the subordinate. Long story short, we've ended up with 3 certificates on our subordinate CA, and we can't seem to revoke the 2 incorrect certs (containing the incorrect CRL locations): 



So from the root CA we've revoked cert #0 and #1. If i go to the CRL location i can see that the CRLs for the old certs are showing. I've uploaded the CRL to C:\Windows\System32\CertSrv\CertEnroll and can see the updated CRL via MMC > Intermediate CAs > Certificate Revocation List. Unfortunately the certificates still appear under the properties > general tab on certificate authority as per the above. They're not showing as revoked.

I've tried removing the certificates from MMC > Personal > Certificates and from C:\Windows\System32\CertSrv\CertEnroll but they instantly reappear. Worth noting that the only location we publish CRLs to is a webpage.

Any help on this would be greatly appreciated.

Apologies, my knowledge of Windows PKI is fairly limited. There may be something very obvious that i'm not currently doing.

Thanks,

R

hi all,

I have two domain controllers in the same site 

one is the primary domain controller named DC

the other domain controller named ADC is an additional one 

both domain controllers experience a power outage

but "adc" the additional domain controller faced a time jump to past date to 2002 then the time service begins to sync with the primary domain controller and the time is right now

but there is a problem in replication

I think that "ADC" the additional domain controller can replicate from  "DC" the one holding the FSMO roles

ADC is the downstream server and dc is the upstream server

but "DC" can not replicate from "ADC"

"DC" is the downstream server and "Adc" is the upstream server

so i'm looking for a solution in https://support.microsoft.com/en-us/help/2020053/troubleshooting-ad-replication-error-8614-the-active-directory-cannot

if anyone could give me an advice regarding that issue

the output of readminis shown below

the output of repadmin /showrepl DC

Default-First-Site-Name\DC

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: f19df3de-60d9-45d8-9e1e-81351a3588fd

DSA invocationID: 210351f6-62a2-4cb5-8651-828f3dc53f85



==== INBOUND NEIGHBORS ======================================



DC=mydomaindc,DC=local

    Default-First-Site-Name\ADC via RPC

        DSA object GUID: 89650a74-a868-4d7d-8eff-4da4d16627a1

        Last attempt @ 2018-09-08 08:21:31 failed, result 8614 (0x21a6):

            The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

        3865 consecutive failure(s).

        Last success @ 2018-09-07 11:25:03.



CN=Configuration,DC=mydomaindc,DC=local

    Default-First-Site-Name\ADC via RPC

        DSA object GUID: 89650a74-a868-4d7d-8eff-4da4d16627a1

        Last attempt @ 2018-09-08 07:55:55 failed, result 8614 (0x21a6):

            The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

        30 consecutive failure(s).

        Last success @ 2018-09-07 11:25:03.



CN=Schema,CN=Configuration,DC=mydomaindc,DC=local

    Default-First-Site-Name\ADC via RPC

        DSA object GUID: 89650a74-a868-4d7d-8eff-4da4d16627a1

        Last attempt @ 2018-09-08 07:55:55 failed, result 8614 (0x21a6):

            The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

        23 consecutive failure(s).

        Last success @ 2018-09-07 11:25:03.



DC=DomainDnsZones,DC=mydomaindc,DC=local

    Default-First-Site-Name\ADC via RPC

        DSA object GUID: 89650a74-a868-4d7d-8eff-4da4d16627a1

        Last attempt @ 2018-09-08 08:21:26 failed, result 8614 (0x21a6):

            The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

        89 consecutive failure(s).

        Last success @ 2018-09-07 11:25:03.



DC=ForestDnsZones,DC=mydomaindc,DC=local

    Default-First-Site-Name\ADC via RPC

        DSA object GUID: 89650a74-a868-4d7d-8eff-4da4d16627a1

        Last attempt @ 2018-09-08 08:06:26 failed, result 8614 (0x21a6):

            The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

        83 consecutive failure(s).

        Last success @ 2018-09-07 11:25:03.



Source: Default-First-Site-Name\ADC

******* 3848 CONSECUTIVE FAILURES since 2018-09-07 11:25:03

Last error: 8614 (0x21a6):

            The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.

the output of repadmin showrepl/  ADC

Default-First-Site-Name\ADC

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: 89650a74-a868-4d7d-8eff-4da4d16627a1

DSA invocationID: 7f1fe5f5-91d9-4a83-b527-3490d45547dd



==== INBOUND NEIGHBORS ======================================



DC=mydomaindc,DC=local

    Default-First-Site-Name\DC via RPC

        DSA object GUID: f19df3de-60d9-45d8-9e1e-81351a3588fd

        Last attempt @ 2018-09-08 08:21:33 was successful.



CN=Configuration,DC=mydomaindc,DC=local

    Default-First-Site-Name\DC via RPC

        DSA object GUID: f19df3de-60d9-45d8-9e1e-81351a3588fd

        Last attempt @ 2018-09-08 07:50:12 was successful.



CN=Schema,CN=Configuration,DC=mydomaindc,DC=local

    Default-First-Site-Name\DC via RPC

        DSA object GUID: f19df3de-60d9-45d8-9e1e-81351a3588fd

        Last attempt @ 2018-09-08 07:50:12 was successful.



DC=DomainDnsZones,DC=mydomaindc,DC=local

    Default-First-Site-Name\DC via RPC

        DSA object GUID: f19df3de-60d9-45d8-9e1e-81351a3588fd

        Last attempt @ 2018-09-08 07:58:04 was successful.



DC=ForestDnsZones,DC=mydomaindc,DC=local

    Default-First-Site-Name\DC via RPC

        DSA object GUID: f19df3de-60d9-45d8-9e1e-81351a3588fd

        Last attempt @ 2018-09-08 07:50:12 was successful.

Hi,

We are facing few errors on dcdiag /q but mainly References are not being verified

I have read the article KB312862 but its seems for issue with FRS and we have DF/FFL as Windows 2008, we are using DFSR

OS: Windows 2008 R2

Anyone who can guide, how to resolve this issue 

 ......................... PDC failed test SystemLog

         Some objects relating to the DC PDC have problems: 
            [1] Problem: Missing Expected Value

             Base Object: CN=PDC,OU=Domain Controllers,DC=DOMAIN,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: frsComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
         ......................... PDC failed test VerifyReferences

مرحبا انا ابو وضاح من السعودية 

تم شراء مفتاح تفعيل وندز 10 وتم التفعيل بالفعل لاكن عملت فورمات للجهاز و إختفى الرمز و اريد ارسال الرمز و ايضا ارسال سي دي بالنسخة

I have a client challenge that I hope we can solve.

    Scenario

        Corporate - 1 way trust to our client AD.

        Mirror'd AD users but completely unique SID per domain.

        Assume zero assistance from corporate , assume no sight in any way to corporate environment.

        Problem.  - corporate requires 90 day password rotation that is synchronized to their corporate AD architecture.


        Ie.  If they have user jp required to change password at corporate site, it must be done on our client side at same time.


        My thoughts so far....

        Is there a way to pull the event log locally on a pc that splits domain logins.

        Can we see the corporate domain pw prompt event ID trigger on the local pc and then trigger a script/gpo on our client domain to prompt the user to change their password when they log in next.

        ( yes -  they log in as jp@domaina.com  and jp@domainb.com on the same systems as well as have separate systems dedicated for each domain use depending on office)

        I have found this as the closest to it however it is on a failed pw reset attempt.   Anyone have any solutions or up for a challenge ?

        Description Fields in 4724

        Subject:

        The user and logon session that performed the action.

        Security ID:  The SID of the account.

        Account Name: The account logon name.

        Account Domain: The domain or - in the case of local accounts - computer name.

        Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

        Target Account:

        Security ID:  SID of the account

        Account Name:  name of the account

        Account Domain: domain of the account


        Fyi - we have zero room to change any structure or requirements.

I am aware we can introduce password sync from corporate to client. This way when password is changed in corporate it syncs to corresponding account to client domain account. Hence adheres to 90 days rule. There are password sync solution that works from domain to domain and domain to local account.

BUT, unfortunately any work on corporate end is not a possibility at this time.  It has to be a 100% client side solution.

Hi all

I have a bit of a rare scenario where i have to provide a user with the permission to establish a trust with my forest root domain.
I could easily give that user "Domain Admin" rights but thats seems a bit much and i want to retain the amount of "Domain Admins" as low as possible.

I saw that i can delegate permission for example "Full Control" to "trustedDomain" objects. But once done i couldn't actually establish a trust with the delegated permission alone.

Does anyone have an idea what minimum permissions i need to achieve this?

Best regards
Simon