Hi,

Using msds-memberoftransitive attribute to get direct and transitive(nested) group membership of users. Would like to know if anyone there using it and any limitations with using msds-memberoftransitive attribute?

Comparing with nested group search control "member:1.2.840.113556.1.4.1941", msds-memberoftransitive is quite fast. Other way, any limitations Or disadvantages with msds-memberoftransitive attribute?

Question could be too generic, but looking at responses from others experience.

As these are two different approaches, any recommendation on when to use which approach?

Thanks,

Lokesh

We've been getting a handful of calls lately from our Network Admins complaining that they can't delete computer accounts.

The get an Active Directory dialog box that states that they are a loser..."You do not have sufficient privileges to delete XXXXXX".

When it occurs, it affects all of the Adminis for the particular problem object in question.

As a domain admin and enterprise admin, I am able to delete the object without a problem.

The Admins are able to delete other comptuers accounts as well as create new computer accounts with in the same OU.  The security and ownership is identical for both problem objects and non-problem objects.

I'm stumped and I couldn't get any relavant hits on TechNet or the web.

David W. King

Techical Architect - Systems, Information Technology
(919) 784-3889 david.king@rexhealth.com

REX Healthcare, 4420 Lake Boone Trail, Raleigh, NC 27607

David W King

The Microsoft documentation on the following does not make these point clear (especially question 2). Therefore I wanted to ask the question here and hopefully a member of the MS AD team will pick it up to give a concise answer.

Imagine you have an AD forest with one domain and three sites

Site1, Site2 and Site3

Each site has two DCs and all FMSO roles are held by the DCs in Site1

Urgent replication verses immediate replication

Let’s start off with Immediate Replication (not Urgent)

I understand certain events need to be replicated ‘immediately’ e.g. account ‘lockout’ events. My understanding of immediately is a domain controller (DC04 for example) opens a direct RPC/IP connection to the PDC emulator to update the PDC emulator’s replicate of the account lockout, thereby overriding any site link schedules.

Question 1:

First question is does DC04 update PDCs replica (as it states on some MS documents), or does DC04 inform the PDC emulator it has some ‘immediate’ attributes to update, then PDC ‘requests’ said updates (high water mark) as with a normal replication notification and pull the changes (but it just does not wait for site link schedule)?

Question 2:

Also from what I have read ‘immediate’ replication only appears to happen between a DC and the PDC in other words when a DC need to replication sometime immediately to the PDC (e.g. DC01), meaning immediate replication never happens between say DC04 and DC03 (as neither are the PDC) is that correct?

Question 3:

Is it correct to say that both ‘account lockout’ and ‘account unlock’ are both replicated to the PDC as ‘immediate’ replication?

Now let’s deal with Urgent Replication

From what I have read ‘urgent’ replication does not override site link schedules. Therefore Urgent replication only has meaning within the site where urgent replication is triggered (or if change notification is enabled between sites).

If that last statement is correct I can see a situation whereby an account ‘locked out’ in site 2, which is then immediately replicated to the PDC. The PDC then uses urgent replication (within its site only e.g. Site 1) to replicate this account lockout. At the same time the DC in Site 2 that dealt with the account lockout also uses urgent replication (again within its site only) to replicate the account lockout. So at this point it is fair to say all DCs in site 1 and site 2 know about the account lockout very quickly. However site 3 which may have a site line schedule of 2 hours for example (non-default) therefore DCs in Site 3 would not know about the account lockout (as not been replicated yet) so looking at the MrSmith AD account it would not show as locked,

Question 4:

Is the above statement about MrSmith and the lockout replication behaviour correct?

Question 5:

Assuming MrSmith account is Site 3 is not showing as locked out and MrSmith logs in to a computer in Site 3 (and therein against a DC in site 3). If he enters his password correctly, (therefore no need to refer back the PDC) I assume be will be able to login?

Question 6:

Depending on the answer to question 5 above, every time a user logs on to the domain is the PDC emulator referenced e.g. just in case the account is locked out? (e.g. even if the account shows as not locked out and the user enters their password correctly)

Thanks very much in advance

I have recently dismissed a 2012 DC and replaced with 2016 in a subdomain.

At present replication of Sites and Services are not in sync between the 2 domains.

The main domain still sees an old servers in Sites and Services, and i cannot delete it.



 Similarly in NTDSutil metadata cleanup I get a message that I should do this from a DC in the Subdomain, and the mentioned server is not removed, but is not presented in the Subdomain, when I connect to a DC in the subdomain.

Repamin /replsum gives me these errors since a few weeks, from any DC.

 DC(name of dc in main domain)              19d.03h:18m:48s    1 /   6   16  (8464) Synchronization attempt failed because the destination DC is currently waiting to synchronize new partial attributes from source. This condition is normal if a recent schema change modified the partial attribute set. The destination partial attribute set is not a subset of source partial attribute set

The old DC Computer object and all DNS entries are removed from the Subdomain. But the main domain DNS still reports the old server entry in the Subdomain NS (non removable).

How to cure the situation?

Hey all,

  i did format my system. Now i dunno where to activate my windows. Can someone help me out ?

Thanks

All domain controllers and clients are unable to sync their time from PDC and getting below error.  PDC is dyncing from another NTP server in our environment. 

NTP port is accessable

already run

/resync /rediscover

/unregister /register

Tried to change PDC role to another server. 

152575 11:15:22.7860879s - ---------- Log File Opened -----------------
152575 11:15:22.7860879s - CurSpc:15625000ns  BaseSpc:15625000ns  SyncToCmos:Yes
152575 11:15:22.7860879s - PerfFreq:10000000c/s
152575 11:15:22.7860879s - ReadConfig: Found provider 'NtpClient':
152575 11:15:22.7860879s - ReadConfig:   'Enabled'=0x00000001
152575 11:15:22.7860879s - ReadConfig:   'DllName'='C:\Windows\system32\w32time.dll'
152575 11:15:22.7860879s - ReadConfig:   'DllName'='C:\Windows\system32\w32time.dll'
152575 11:15:22.7860879s - ReadConfig:   'DllName'='C:\Windows\system32\w32time.dll'
152575 11:15:22.7860879s - ReadConfig:   'InputProvider'=0x00000001
152575 11:15:22.7860879s - ReadConfig:   'RunOnVirtualOnly'=0x00000000
152575 11:15:22.7860879s - ReadConfig: Found provider 'NtpServer':
152575 11:15:22.7860879s - ReadConfig:   'Enabled'=0x00000000
152575 11:15:22.7860879s - ReadConfig:   'DllName'='C:\Windows\system32\w32time.dll'
152575 11:15:22.7860879s - ReadConfig:   'DllName'='C:\Windows\system32\w32time.dll'
152575 11:15:22.7860879s - ReadConfig:   'DllName'='C:\Windows\system32\w32time.dll'
152575 11:15:22.7860879s - ReadConfig:   'InputProvider'=0x00000000
152575 11:15:22.7860879s - ReadConfig:   'RunOnVirtualOnly'=0x00000000
152575 11:15:22.7860879s - ReadConfig: Found provider 'VMICTimeProvider':
152575 11:15:22.7860879s - ReadConfig:   'Enabled'=0x00000001
152575 11:15:22.7860879s - ReadConfig:   'DllName'='C:\Windows\System32\vmictimeprovider.dll'
152575 11:15:22.7860879s - ReadConfig:   'DllName'='C:\Windows\System32\vmictimeprovider.dll'
152575 11:15:22.7860879s - ReadConfig:   'DllName'='C:\Windows\System32\vmictimeprovider.dll'
152575 11:15:22.7860879s - ReadConfig:   'InputProvider'=0x00000001
152575 11:15:22.7860879s - ReadConfig:   'RunOnVirtualOnly'=0x00000001
152575 11:15:22.7860879s - ReadConfig: 'PhaseCorrectRate'=0x00000001 (2)
152575 11:15:22.7860879s - ReadConfig: 'UpdateInterval'=0x00007530 (2)
152575 11:15:22.7860879s - ReadConfig: 'FrequencyCorrectRate'=0x00000004 (2)
152575 11:15:22.7860879s - ReadConfig: 'PollAdjustFactor'=0x00000005 (2)
152575 11:15:22.7860879s - ReadConfig: 'LargePhaseOffset'=0x02FAF080 (2)
152575 11:15:22.7860879s - ReadConfig: 'SpikeWatchPeriod'=0x00000384 (2)
152575 11:15:22.7860879s - ReadConfig: 'HoldPeriod'=0x00000005 (2)
152575 11:15:22.7860879s - ReadConfig: 'MinPollInterval'=0x0000000A (2)
152575 11:15:22.7860879s - ReadConfig: 'MaxPollInterval'=0x0000000F (2)
152575 11:15:22.7860879s - ReadConfig: 'AnnounceFlags'=0x00000005 (2)
152575 11:15:22.7860879s - ReadConfig: 'LocalClockDispersion'=0x0000000A (2)
152575 11:15:22.7860879s - ReadConfig: 'MaxNegPhaseCorrection'=0xFFFFFFFF (2)
152575 11:15:22.7860879s - ReadConfig: 'MaxPosPhaseCorrection'=0xFFFFFFFF (2)
152575 11:15:22.7860879s - ReadConfig: 'EventLogFlags'=0x00000002 (2)
152575 11:15:22.7860879s - ReadConfig: 'MaxAllowedPhaseOffset'=0x0000012C (2)
152575 11:15:22.7860879s - ReadConfig: 'TimeJumpAuditOffset'=0x00007080 (2)
152575 11:15:22.7860879s - lastClockRate=156250, clockPrecision=-6
152575 11:15:22.7860879s - SetTimeSlipNotification succeeds with 0x00000000.
152575 11:15:22.7860879s - W32TmServiceMain: RequestNetTopoChangeNotification Succeed
152575 11:15:22.7860879s - W32TmServiceMain: RequestNetTopoChangeNotification Succeed
152575 11:15:22.7860879s -   DomainHierarchy: LSA role change notification. Redetecting.
152575 11:15:22.8017151s - ClockDisciplineThread: Starting: SetUnsync: LI:0 S:1 RDl:0 RDs:100000000 TSF:0x0 
152575 11:15:22.8017151s - ClockDispln: we're a reliable time service with no time source: LS: 0, TN: 864000000000, WAIT: 86400000
152575 11:15:22.8017151s - Starting Providers.
152575 11:15:22.8017151s - Starting 'NtpClient', dll:'C:\Windows\system32\w32time.dll'
152575 11:15:22.8017151s - LoadLibrary
152575 11:15:22.8017151s - NtpTimeProvOpen("NtpClient") called.
152575 11:15:22.8017151s - StartNtpProv
152575 11:15:22.8017151s - sysPrecision=-6, systmeClockResolution=156250
152575 11:15:22.8017151s - NtpProvider: Created 2 sockets (0 listen-only): [::]:123<0x0>, 0.0.0.0:123<0x0>
152575 11:15:22.8017151s - PeerPollingThread: waiting forever
152575 11:15:22.8017151s - ReadConfig: 'AllowNonstandardModeCombinations'=0x00000001 (2)
152575 11:15:22.8017151s - ReadConfig: 'CompatibilityFlags'=0x80000000 (2)
152575 11:15:22.8017151s - ReadConfig: 'SpecialPollInterval'=0x00000E10 (2)
152575 11:15:22.8017151s - ReadConfig: 'ResolvePeerBackoffMinutes'=0x0000000F (2)
152575 11:15:22.8017151s - ReadConfig: 'ResolvePeerBackoffMaxTimes'=0x00000007 (2)
152575 11:15:22.8017151s - ReadConfig: 'EventLogFlags'=0x00000001 (2)
152575 11:15:22.8017151s - ReadConfig: 'LargeSampleSkew'=0x00000003 (2)
152575 11:15:22.8017151s - ReadConfig: 'SignatureAuthAllowed'=0x00000001 (2)
152575 11:15:22.8017151s - ReadConfig: 'Type'=NT5DS (2)
152575 11:15:22.8017151s - ReadConfig: 'CrossSiteSyncFlags'=0x00000002 (2)
152575 11:15:22.8017151s - AddNewPendingPeer: domain
152575 11:15:22.8017151s - PeerPollingThread: waiting 0.000s
152575 11:15:22.8017151s - PeerPollingThread: PeerListUpdated
152575 11:15:22.8017151s - NtpClient started.
152575 11:15:22.8017151s - Starting 'VMICTimeProvider', dll:'C:\Windows\System32\vmictimeprovider.dll'
152575 11:15:22.8017151s - Resolving domain peer
152575 11:15:22.8017151s - LoadLibrary
152575 11:15:22.8017151s - Successfully started 2 providers.
152575 11:15:22.8017151s - W32TmServiceMain: waiting i16.000s (1024.000s)
152575 11:15:22.8017151s - Domain member syncing from \\dc.mydomain.com.
152575 11:15:22.8017151s - Association: (Local) 0.0.0.0:123 => 172.16.100.100:123 (Remote)
152575 11:15:22.8017151s - Created reachability group: (
152575 11:15:22.8017151s - 172.16.100.100:123,
152575 11:15:22.8017151s - )
152575 11:15:22.8017151s - PeerPollingThread: waiting 0.000s
152575 11:15:22.8017151s - PeerPollingThread: PeerListUpdated
152575 11:15:22.8017151s - Reachability: Attempting to contact peer dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123).
152575 11:15:22.8017151s - Polling peer dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123)
152575 11:15:22.8017151s - Sending packet to dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123) in Win2K detect mode, stage 1.
152575 11:15:22.8017151s - Peer poll: Max:1024.0000000s Cur:00.0000000s
152575 11:15:22.8017151s - PeerPollingThread: waiting 1024.000s
152575 11:15:22.8017151s - ListeningThread -- DataAvailEvent set for socket 1 (0.0.0.0:123)
152575 11:15:22.8017151s - ListeningThread -- response heard from 172.16.100.100:123 <- 172.16.100.5:123
152575 11:15:22.8017151s - W32TmServiceMain: Network Topology Change
152575 11:15:22.8017151s - TimeProvCommand([NtpClient], TPC_NetTopoChange) called.
152575 11:15:22.8017151s - W32TmServiceMain: Network Topology Change
152575 11:15:22.8017151s - TimeProvCommand([NtpClient], TPC_NetTopoChange) called.
152575 11:15:22.8017151s - /-- NTP Packet:
152575 11:15:22.8017151s - | LeapIndicator: 0 - no warning;  VersionNumber: 3;  Mode: 4 - Server;  LiVnMode: 0x1C
152575 11:15:22.8017151s - | Stratum: 15 - secondary reference (syncd by (S)NTP)
152575 11:15:22.8017151s - | Poll Interval: 17 - out of valid range;  Precision: -6 - 15.625ms per tick
152575 11:15:22.8017151s - | RootDelay: 0x0000.0800s - 0.03125s;  RootDispersion: 0x0000.1A50s - 0.102783s
152575 11:15:22.8017151s - | ReferenceClockIdentifier: 0xAC106402 - source IP: 172.16.100.2
152575 11:15:22.8017151s - | ReferenceTimestamp:   0xDF57382F4EE8D617 - 13182519983308240300ns - 152575 11:06:23.3082403s
152575 11:15:22.8017151s - | OriginateTimestamp:   0xDF573A4ACD3D3367 - 13182520522801715100ns - 152575 11:15:22.8017151s
152575 11:15:22.8017151s - | ReceiveTimestamp:     0xDF573A6DD4078E69 - 13182520557828240300ns - 152575 11:15:57.8282403s
152575 11:15:22.8173377s - | TransmitTimestamp:    0xDF573A6DD4078E69 - 13182520557828240300ns - 152575 11:15:57.8282403s
152575 11:15:22.8173377s - >-- Non-packet info:
152575 11:15:22.8173377s - | DestinationTimestamp: 152575 11:15:22.8173377s - 0xDF573A4ACD3D3367152575 11:15:22.8173377s -  - 13182520522801715100ns152575 11:15:22.8173377s -  - 152575 11:15:22.8017151s
152575 11:15:22.8173377s - | RoundtripDelay: 000ns (0s)
152575 11:15:22.8173377s - | LocalClockOffset: 35026525200ns - 0:35.026525200s
152575 11:15:22.8173377s - \--
152575 11:15:22.8173377s - Response received from domain controller dc.mydomain.com authenticated successfully (using digest format)
152575 11:15:22.8173377s - Peer dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123) is not Win2K. Setting compat flags.
152575 11:15:22.8173377s - Packet test 7 failed (bad stratum: system - 1, sample - 15).
152575 11:15:22.8173377s - Ignoring packet that failed tests from dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123).
152575 11:15:22.8173377s - NtpProvider: Network Topology Change
152575 11:15:22.8173377s - Reachability:  removing peer dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123).  LAST PEER IN GROUP!
152575 11:15:22.8173377s -   Peer dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123) never sync'd, resync now!
152575 11:15:22.8173377s -   Peers reset: p-p:0 a-p:1 a-x:0
152575 11:15:22.8173377s - NtpProvider: Created 2 sockets (0 listen-only): [::]:123<0x0>, 0.0.0.0:123<0x0>
152575 11:15:22.8173377s - PeerPollingThread: waiting 1.485s
152575 11:15:22.8173377s - PeerPollingThread: PeerListUpdated
152575 11:15:22.8173377s - Logging error: NtpClient has been configured to acquire time from one or more time sources, however none of the sources are currently accessible and no attempt to contact a source will be made for 1 minutes. NTPCLIENT HAS NO SOURCE OF ACCURATE TIME.
152575 11:15:22.8173377s - PeerPollingThread: waiting 1.485s
152575 11:15:22.8173377s - NtpProvider: Network Topology Change
152575 11:15:22.8173377s -   Peer  never sync'd, resync now!
152575 11:15:22.8173377s -   Peers reset: p-p:1 a-p:1 a-x:0
152575 11:15:22.8173377s - NtpProvider: Created 2 sockets (0 listen-only): [::]:123<0x0>, 0.0.0.0:123<0x0>
152575 11:15:22.8173377s - PeerPollingThread: waiting 1.500s
152575 11:15:22.8173377s - W32TmServiceMain: waiting i16.000s (1024.000s)
152575 11:15:22.8173377s - W32TmServiceMain: RequestNetTopoChangeNotification Succeed
152575 11:15:22.8173377s - PeerPollingThread: PeerListUpdated
152575 11:15:22.8173377s - Logging error: NtpClient has been configured to acquire time from one or more time sources, however none of the sources are currently accessible and no attempt to contact a source will be made for 1 minutes. NTPCLIENT HAS NO SOURCE OF ACCURATE TIME.
152575 11:15:22.8173377s - PeerPollingThread: waiting 1.500s
152575 11:15:22.8173377s - W32TmServiceMain: waiting i16.000s (1024.000s)
152575 11:15:22.8173377s - W32TmServiceMain: RequestNetTopoChangeNotification Succeed
152575 11:15:24.3173388s - PeerPollingThread: WaitTimeout
152575 11:15:24.3173388s - Resolving domain peer
152575 11:15:24.3173388s - Domain member syncing from \\dc.mydomain.com.
152575 11:15:24.3173388s - Association: (Local) 0.0.0.0:123 => 172.16.100.100:123 (Remote)
152575 11:15:24.3173388s - Created reachability group: (
152575 11:15:24.3173388s - 172.16.100.100:123,
152575 11:15:24.3173388s - )
152575 11:15:24.3173388s - PeerPollingThread: PeerListUpdated
152575 11:15:24.3173388s - Reachability: Attempting to contact peer dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123).
152575 11:15:24.3173388s - Polling peer dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123)
152575 11:15:24.3173388s - Sending packet to dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123) in Win2K detect mode, stage 1.
152575 11:15:24.3173388s - Peer poll: Max:1024.0000000s Cur:00.0000000s
152575 11:15:24.3173388s - PeerPollingThread: waiting 1024.000s
152575 11:15:24.3173388s - PeerPollingThread: waiting 1024.000s
152575 11:15:24.3173388s - ListeningThread -- DataAvailEvent set for socket 1 (0.0.0.0:123)
152575 11:15:24.3173388s - ListeningThread -- response heard from 172.16.100.100:123 <- 172.16.100.5:123
152575 11:15:24.3173388s - /-- NTP Packet:
152575 11:15:24.3173388s - | LeapIndicator: 0 - no warning;  VersionNumber: 3;  Mode: 4 - Server;  LiVnMode: 0x1C
152575 11:15:24.3173388s - | Stratum: 15 - secondary reference (syncd by (S)NTP)
152575 11:15:24.3173388s - | Poll Interval: 17 - out of valid range;  Precision: -6 - 15.625ms per tick
152575 11:15:24.3173388s - | RootDelay: 0x0000.0800s - 0.03125s;  RootDispersion: 0x0000.1A51s - 0.102798s
152575 11:15:24.3173388s - | ReferenceClockIdentifier: 0xAC106402 - source IP: 172.16.100.2
152575 11:15:24.3173388s - | ReferenceTimestamp:   0xDF57382F4EF87C7D - 13182519983308479100ns - 152575 11:06:23.3084791s
152575 11:15:24.3173388s - | OriginateTimestamp:   0xDF573A4C513D1D97 - 13182520524317338800ns - 152575 11:15:24.3173388s
152575 11:15:24.3173388s - | ReceiveTimestamp:     0xDF573A6F576B2C9E - 13182520559341479100ns - 152575 11:15:59.3414791s
152575 11:15:24.3173388s - | TransmitTimestamp:    0xDF573A6F576B2C9E - 13182520559341479100ns - 152575 11:15:59.3414791s
152575 11:15:24.3173388s - >-- Non-packet info:
152575 11:15:24.3173388s - | DestinationTimestamp: 152575 11:15:24.3173388s - 0xDF573A4C513D1D97152575 11:15:24.3173388s -  - 13182520524317338800ns152575 11:15:24.3173388s -  - 152575 11:15:24.3173388s
152575 11:15:24.3173388s - | RoundtripDelay: 000ns (0s)
152575 11:15:24.3173388s - | LocalClockOffset: 35024140300ns - 0:35.024140300s
152575 11:15:24.3173388s - \--
152575 11:15:24.3173388s - Response received from domain controller dc.mydomain.com authenticated successfully (using digest format)
152575 11:15:24.3173388s - Peer dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123) is not Win2K. Setting compat flags.
152575 11:15:24.3173388s - Packet test 7 failed (bad stratum: system - 1, sample - 15).
152575 11:15:24.3173388s - Ignoring packet that failed tests from dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123).
152575 11:15:24.8017134s - W32TimeHandler called: SERVICE_CONTROL_INTERROGATE
152575 11:15:32.5674287s - RPC Caller is mydomain\asad.admin (S-1-5-21-1699421847-4021460542-3915083997-186050)
152575 11:15:32.5674287s - RPC Call Attribute is local=1, kernel=0, session=0, authentication=6, protocol=2, OpNum=3
152575 11:15:32.5674287s - RPC Call - Query Source
152575 11:15:38.8173411s - W32TmServiceMain: timeout
152575 11:15:38.8173411s - Sample Prepared at 131825205388173411 for peer dc.mydomain.com (ntp.d|0.0.0.0:123->172.16.100.100:123)
152575 11:15:38.8173411s - W32TmServiceMain: waiting 1024.000s
152575 11:15:41.6142149s - W32TimeHandler called: SERVICE_CONTROL_INTERROGATE
152575 11:15:41.8173334s - W32TimeHandler called: SERVICE_CONTROL_INTERROGATE

I've been working on a DCPromo issue for about 6 months that I can't seem to get around.  Some of my specific details are a little fuzzy at this point since it's been so long but I tried the process 3 times in the last 24 hours & I still get a failure.

2016 servers were RWDC & I demoted them & then tried to DCPromo as RODC.  I continuously get these results:

The operation failed because:

While promoting Read-only Domain Controller, failed to replicate the secrets from the helper AD DC.

"The replication operation failed because the target object referred by a link value is recycled."

I have tried deleting any related AD recycle bin records short of just deleting everything, which I'm not doing.  I'm searching by date, by server name & by "KRBTGT_" & deleting anything I find but the issue persists:

Get-ADObject -IncludeDeletedObjects -Filter {(IsDeleted -eq $true)} -Properties * -Server domaincontroller.domain.com | Where-Object {$_.DistinguishedName -like "*krbtgt_*"} | Select-Object Name,DistinguishedName,WhenChanged | sort whenchanged

Get-ADObject -IncludeDeletedObjects -Filter {(IsDeleted -eq $true)} -Properties * -Server pdc-necorp.nesl.com | Where-Object {$_.DistinguishedName -like "*xxxxxx*"} | Select-Object Name,DistinguishedName,WhenChanged | sort whenchanged

Get-ADObject -IncludeDeletedObjects -Filter {(IsDeleted -eq $true)} -Properties * -Server dhcp-necorp.nesl.com | Where-Object {$_.WhenChanged -gt "7/17/2018 4:00:00 PM"} | Select-Object Name,DistinguishedName,WhenChanged | sort whenchanged

I've also waited over 30 days between attempts (after deleting the recycle bin items) - no good!

The only way around it is to promote as an RWDC again.

Any suggestions would be appreciated.

-Dave

Hi everyone, I have a strange problem in a domain that I can not solve.There are two domain controllers in two different sites connected by a VPN, the domain controller that holds all the fsmo roles seems ok, while in the other sysvol and netlogon are not shared even if they are synchronized and on the event log I do not find any error related to problem.
Status:
Primary DC 192.168.0.4 All FSMO roles, netlogon and sysvol shared (AKA PDC for simplicity).
Writable DC 192.168.2.4 netlogon and sysvol not shared (AKA BDC for simplicity).

I attach the debug file: http://www.malatesta.biz/share/debug-bart.zip

I try server reboot, NON-authoritative restore and authoritative restore, change dns(other-dc,loopback,local-ip AND vice-versa),migrating the replica to DFSR(now the globalstate is 2 Redirected).

I can not figure out how to solve, can you help me?

TNX

Hi i am looking for a powershell script to display all the AD groups on that particular server .

Since i am new i have no experience to write one .

pls help 

Thanks 

I have a server\share that users are getting an access denied if using IP, netbios name works.  At random the IP will work.

I was reading a link and pointed to another link which does not exist.  The link talked about checking NTLM\LM hashing.

Network security:LAN Manager authentication level "send NTLMv2 response only. Refuse LM & NTLM."

If the server does not have a policy setting the value and is configured as "Not Defined" while windows 10 is set to "send NTLMv2 response only. Refuse LM & NTLM."

Wireshark shows Status_no_logon_servers

hello:

I am configuring sap cloud connector to use keytab to authenticate but running into an issue where DC rejects the authentication method.  I have enabled debugging(ldap interface events) on DC to capture why DC is rejecting . unfortunately  logs from DC says

I am unable to resolve my Netbios (I think) domain. My lovely FQDN is domain.domaindumb.com. NSLookup for FQDN resolves. NSLookup of domain resolves. Am I able to resolve domain because I'm using DNS, how is so? I have zero Append These DNS suffix. Do i need two search suffixes? No WINS.

Client DHCP - WITH ERR, please help  :)

Append Primary and secondary DNS suffix  and Append parent checked.

register this connections DNS suffix checked 

Append these DNS suffixes (in order) - NOTHING??

>nslookup domain

my 4 DC show up...192.168.2.0/20

ping domain reply's 4 times to good IP

primary DNS suffix is domain.domaindumb.com

userdomain=domain

userdnsdomain=domain.domaindumb.com

i get denied access to \\10.2.115.251\printers(member server, different subnet) from a win10 box as a domain\jbob00 which has read access in both spots.

Wireshark shows 

 NT Status: STATUS_NO_LOGON_SERVERS (0xc000005e)

        Command: Session Setup (1)

        Credits granted: 1

        Flags: 0x00000001, Response

        Chain Offset: 0x00000000

        Message ID: Unknown (2)

        Process Id: 0x0000feff

        Tree Id: 0x00000000

        Session Id: 0x0000d0017400005d Acct:jbob00 Domain:DOMAIN Host:000-WIN10

        Signature: 00000000000000000000000000000000

        [Response to: 1309]

        [Time from request: 0.031240000 seconds]

    Session Setup Response (0x01)

        StructureSize: 0x0009

        Session Flags: 0x0000

        Blob Offset: 0x00000000

        Blob Length: 0

        Security Blob: <MISSING>: NO DATA

Hi,

We had recently a problem with one of our DC:s. We had 4 DC, dc01, dc02, dc03 and dc04. For some readon dc04 died and it doesnt exist on the forest anymore. But every morning somehow some clients are still trying to authenticate to that dc04. The users are having trouble to login on their domain joined computer. After some time they do manage to login, I suppose they pass by it and authenticate to another available dc. I have seen on the internet that you can clear logon cache on the clients but this is not optimal for our case because there are thousands of clients on our environment and also fixing that via GPO is also a pain because the clients are not residing on some same OU or some same location.

Has anyone been in the same situation? Is there a fix that can be done? 

Thank you
Nikart

hi all,

I had to forcely remove a domain controller named DC2 (because it was considered as a tombstone)by stopping kdc service and then made a clean up metadata(keep in mind that I isolated dc02 in temp site with site have a subnet with the same IP of dc02 but with mask 32 bit this isolation was in 28-9-2018)

then I create a new machine with the same name and ip address and make it an additional domain controller 

then running dcdiag I got the following error 

 Starting test: KccEvent

         A warning event occurred.  EventID: 0x80000B46

            Time Generated: 09/29/2018   22:09:31

            Event String:

            The security of this directory server can be significantly enhanced by configuring the server to reject SAS
L (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that
 are performed on a clear text (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to 
reject them will improve the security of this server. 


         An error event occurred.  EventID: 0xC000043C

            Time Generated: 09/29/2018   22:10:03

            Event String:

            Internal event: Active Directory Domain Services could not update the following object with changes received from the following source directory service. This is because an error occurred during the application of the changes to Active Directory Domain Services on the directory service. 


         An error event occurred.  EventID: 0xC000083C

            Time Generated: 09/29/2018   22:10:03

            Event String:

            This event contains REPAIR PROCEDURES for the 1084 event which has previously been logged. This message indicates a specific issue with the consistency of the Active Directory Domain Services database on this replication destination. A database error occurred while applying replicated changes to the following object. The database had unexpected contents, preventing the change from being made.


         ......................... DC02 failed test KccEvent

the whole dcdiag 

I noticed that we have two unknown servers in our sysvol replication and I was wondering where it is possible to remove the two unknown servers. I haven't found any documentation that enplanes how to do it.

hi all

i went to a company that has 2  domain controllers dc01 and DC02 ,dc02 is the additional domain controller was considered as tombstone because a replication doesn't take place since april 2017, so I demoted it today 

running dcdiag on dc01 : i have the following errors  regarding dfs although there is no dfs installed 

I also check dfs log and found that it instructs me to opem dfs snapin to remove this server from replication group 

I don't know how to do this 

bellow the logs 

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = DC01

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests


   Testing server: Default-First-Site-Name\DC01

      Starting test: Connectivity

         ......................... DC01 passed test Connectivity



Doing primary tests


   Testing server: Default-First-Site-Name\DC01

      Starting test: Advertising

         ......................... DC01 passed test Advertising

      Starting test: FrsEvent

         ......................... DC01 passed test FrsEvent

      Starting test: DFSREvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems. 
         ......................... DC01 failed test DFSREvent

      Starting test: SysVolCheck

         ......................... DC01 passed test SysVolCheck

      Starting test: KccEvent

         A warning event occurred.  EventID: 0x8000082C

            Time Generated: 09/16/2018   09:10:12

            Event String: 


         ......................... DC01 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... DC01 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... DC01 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... DC01 passed test NCSecDesc

      Starting test: NetLogons

         ......................... DC01 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... DC01 passed test ObjectsReplicated

      Starting test: Replications

         [Replications Check,DC01] A recent replication attempt failed:

            From DC02 to DC01

            Naming Context: DC=ForestDnsZones,DC=mydomain,DC=local

            The replication generated an error (8614):

            The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.



            The failure occurred at 2018-09-16 08:55:13.

            The last success occurred at 2017-04-05 11:49:17.

            11307 failures have occurred since the last success.

         [Replications Check,DC01] A recent replication attempt failed:

            From DC02 to DC01

            Naming Context: DC=DomainDnsZones,DC=mydomain,DC=local

            The replication generated an error (8614):

            The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.



            The failure occurred at 2018-09-16 08:55:13.

            The last success occurred at 2017-04-05 11:49:17.

            11313 failures have occurred since the last success.

         [Replications Check,DC01] A recent replication attempt failed:

            From DC02 to DC01

            Naming Context: CN=Schema,CN=Configuration,DC=mydomain,DC=local

            The replication generated an error (8614):

            The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.



            The failure occurred at 2018-09-16 08:55:13.

            The last success occurred at 2017-04-05 11:49:17.

            11307 failures have occurred since the last success.

         [Replications Check,DC01] A recent replication attempt failed:

            From DC02 to DC01

            Naming Context: CN=Configuration,DC=mydomain,DC=local

            The replication generated an error (8614):

            The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.



            The failure occurred at 2018-09-16 08:55:13.

            The last success occurred at 2017-04-05 11:49:17.

            11307 failures have occurred since the last success.

         [Replications Check,DC01] A recent replication attempt failed:

            From DC02 to DC01

            Naming Context: DC=mydomain,DC=local

            The replication generated an error (8614):

            The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.



            The failure occurred at 2018-09-16 08:55:13.

            The last success occurred at 2017-04-05 12:02:13.

            11470 failures have occurred since the last success.

         ......................... DC01 failed test Replications

      Starting test: RidManager

         ......................... DC01 passed test RidManager

      Starting test: Services

         ......................... DC01 passed test Services

      Starting test: SystemLog

         An error event occurred.  EventID: 0xC0001B63

            Time Generated: 09/16/2018   08:40:09

            Event String:

            A timeout (30000 milliseconds) was reached while waiting for a transaction response from the UmRdpService service.

         An error event occurred.  EventID: 0xC0001B63

            Time Generated: 09/16/2018   08:40:39

            Event String:

            A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ScDeviceEnum service.

         An error event occurred.  EventID: 0xC0001B58

            Time Generated: 09/16/2018   08:40:39

            Event String:

            The Smart Card Device Enumeration Service service failed to start due to the following error: 


         An error event occurred.  EventID: 0xC0001B63

            Time Generated: 09/16/2018   08:50:55

            Event String:

            A timeout (30000 milliseconds) was reached while waiting for a transaction response from the UmRdpService service.

         An error event occurred.  EventID: 0xC0001B63

            Time Generated: 09/16/2018   09:07:14

            Event String:

            A timeout (30000 milliseconds) was reached while waiting for a transaction response from the UmRdpService service.

         An error event occurred.  EventID: 0xC0001B63

            Time Generated: 09/16/2018   09:07:44

            Event String:

            A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ScDeviceEnum service.

         An error event occurred.  EventID: 0xC0001B58

            Time Generated: 09/16/2018   09:07:44

            Event String:

            The Smart Card Device Enumeration Service service failed to start due to the following error: 


         ......................... DC01 failed test SystemLog

      Starting test: VerifyReferences

         ......................... DC01 passed test VerifyReferences



   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation


   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation


   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation


   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation


   Running partition tests on : mydomain

      Starting test: CheckSDRefDom

         ......................... mydomain passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... mydomain passed test CrossRefValidation


   Running enterprise tests on : mydomain.local

      Starting test: LocatorCheck

         ......................... mydomain.local passed test LocatorCheck

      Starting test: Intersite

         ......................... mydomain.local passed test Intersite

*********************************************************************************************

DFS logs 

The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 541 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected. 

To resume replication of this folder, use the DFS Management snap-in to remove this server from the replication group, and then add it back to the group. This causes the server to perform an initial synchronization task, which replaces the stale data with fresh data from other members of the replication group. 

Additional Information: 
Error: 9061 (The replicated folder has been offline for too long.) 
Replicated Folder Name: SYSVOL Share 
Replicated Folder ID: 3BFC547C-224C-40F1-8757-386C221B3E8B 
Replication Group Name: Domain System Volume 
Replication Group ID: E460C25B-61A3-4BBB-829F-5FC9462252AB 

**************************************************************************

Installed programs

I was trying to replace a 2016 server with another server. While I was doing it, I remove Global Catalog role from the old server (running server 2016). Then, I had to get up to do something before I can demote (remove ad role from it). I was doing it remotely using RMM and splashtop. Now I can ping it from the new server but cannot remote into it nor manage it remotely. (Not from cmd, not from splashtop, RMM show server is down, and not from server manager).

Server Manager shows Error - Cannot manage the operating system of the target computer. I tried rebooting it with shutdown -i and shutdown -m but nothing works. Shutdown -i says failed to connect to registry and shutdown -m says error 53.

I added the GC role back to it but still getting error. I was able to see event viewer and saw that it was getting Kerberos error.

Can anyone help me?

Thanks,

Hi All,

We are working to test the security of Active Directory external trust. As per Microsoft TechNet articles if we disable SID history filtering then the Administrators in trusted Domain can misuse this by adding the SID of Administrator in Trusting Domain to its own SID History.

While testing this we have created 2 separate Forests on Windows 2016 servers, Created external trust between the forests, Disabled SID filtering on both Domains and enabled SIDHistory in both Domains, added the SID of one Domain Administrator to another Domain's administrator SID History. But when I am trying to access any resource on trusting Domain with the trusted domain ID it is failing. On checking the logs of Trusting Domain I have found the event ID 4675 for SID filtering of Domain Admin Account. When I perform the same activity on a standard users by providing standard access it works which means SID filtering is properly disabled and SID History is enabled.

I am not sure if there is any security feature in Windows 2016 where Domain Admin or well known SID's are always filtered irrespective of SID filtering settings.

If there is any such detail available please help me with that

Commands Used:

netdom trust<TrustingDomainName> /domain:<TrustedDomainName> /quarantine:no

netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /enablesidhistory:Yes