To whom it may concern,

I'm trying to get the Active Directory Web Services installed in my Windows Server 2008 box. The update is Windows6.0-KB968934-x64, and I keep getting the error message stated in the title. After researching, it seems that a next rollup is needed, but I can't find it. It seems that maybe I need to ask the Micorsoft people directly. Any help would greatly be appreciated. I know updating to a newer version of Windows will probably solve this problem, but I'm not ready to do so yet.

Regards,

• My customer called in for AD password reset. She is using Macintosh and connected wired to local office network. She already logged into the machine but she's unable to log into Outlook 2013 app or Office 365 OWA as she is getting incorrect password.
• I reset her password and checked option User must change password at next logon. What happens is when she tried the new password for OWA, it still says password incorrect. Please advise the best practice in this scenario and say what's happening at its background.

Hi Experts,

I have a question about the SMBv1 and domain controllers.

There is any impact if we disable SMBv1 on domain controllers?

When I run "Detect Now" from Group policy management on my domain on server xxx I get error 1 domain controller with replication progress message.

When I click on ACL I get the list of 2 GPO listed with message  

"The Sysvol permissions for one eo rmore GPOs on this doamin controller are not in sync with the permissions for the GPOs on the Baseline domain controller"

Steps taken so far:

> Compared the permissions of group policy folder to GPO delegation tab and found no differences.

> Compared the settings of GPO on server DC1 and DC2 server for the two policies, didnt find any differnece

> Ran Gpupdate /force

> DCdiag results comes with no errors

> Tried to modify setting in the problematic policy and force replication, no differnce

> Repadmin /syncall /APed - No errors.

At this point nothing is broken, bu am worried this might cause any issue.

Any help or suggestions are appreciated

Farookh21

Currently we use KMS to activate our Win 7 , Server 2012 R2 and lower and Office 2013 Pro Plus x86 

We are now going to introduce Windows Server 2016 , o365 client , Windows 10  in our environment 

Looking at the need for activation what is recommend for these products 

I checked there is something called ADBA available as well is that a beter option than updating our KMS 

Can both methods co-exist , how does a new client determine the activation source KMS or ADBA

What would we do for the non-domain joined machines (Use MAK)

Please suggest 

Hi,

We have Windows server 2008 and 2012 DCs.

Please let me know how to log and monitor all the activities of admin users in DC and also in Exchange. We do not plan for any third party solutions, please let me know any method inbuilt to Windows.

We are performing an AD migration from one forest to another. I have exported the OU structure from one domain but when I import it into the other domain that we are moving to only about half the OUs get imported.

The export script I used is

ldifde -f c:\temp\exportOU.ldf -s vv-dc.transform.local -d "dc=transform,dc=local" -p subtree -r "(objectcategory=organizationalUnit)" -l "cn,objectclass,ou"

The import script I used is 

ldifde -i -f "c:\temp\vector-exportnew.ldf"

The error that shows up on the screen is below

What is causing this issue as I am not sure why it is missing quite of bit of OUs.

Yesterday we restarted our Primary domain Controller(PDC) and Exchange Server 2003 which is also our secondary domain Controller(SDC). Now we are getting error LDAP Bind was unsuccessful on directory mail.domain.com for distinguished name". Directory returned :[0x52] Local Error.

also we noticed if we add user from the Primary domain it will not be synchronized to our exchange (SDC). But from the Exchange (SDC) it will be synchronized.

I dont if this is also related but now some of our staff which is connected via exchange encounter some error in their outlook like exchange server is offline although i can ping both the FQDN of the domain and exchange from the client.

Now the event viewer of exchange is full of this error.

I know we are still using the old version of exchange since it is stable to our environment. But maybe soon we are planning to upgrade. for now we just want to solve this issue. Hope anybody from the forum could support us.

PS: I posted this issue in the exchange 2003 and i got one reply that the said issue is related to DC not exchange.

PDC: Windows Server 2003 R2 SP2

SDC: Windows Server 2003 R2 SP2 /Exchange 2003

Thanks,

Nidz

Greetings all.

We are currently in the process of an AD migration. Lets sat that:

1. DomainA is our current source domain

2. DomainB is our target domain

We currently have a two way, external, non-transitive trust between both domains. We also have DNS forwarders setup in DomainA, pointing to DNS servers in DomainB land. We have done some basic testing with ADMT, and are currently able to migrate accounts with SID history from DomainA into DomainB successfully. 

Now DomainB users have a default UPN of user@domainB.something.net, but also have an alternate UPN which can be assigned which is user@domainB.com

What we would like to do, is migrate our users from DomainA into DomainB with SID history (We have this working so far), and then give them a UPN of user@domainB.com (which we tested after migrating with ADMT, we can set UPN as that)

Now what we need, is our users to sit down at a machine bound to DomainA still, and have the ability to login with an account that has been ADMT migrated, using the UPN user@DomainB.com

We have tested, and can login on a machine bound to DomainA, as an ADMT migrated user using only user@DomainB.something.net

So its allowing us to login to what our trusted domain is, user@DomainB.something.net, but its not recognizing the user@DomainB.com????

We bound a VM to DomainB.something.net, and can then logon OK with that ADMT migrated account as user@DomainB.com

So the alternate UPN of user@DomainB.com is only working on machines that are also bound to DomainB.something.net

Its obviously something to do with the trust, and how the UPN's are working, but I haven't figured it out yet.

Any help would be minty.

Cheers.

No FSMO Role on this DC,

The server was being promoted, after reboot, I could login in but could not open anything from system32 "Access Denied" after a while it fixed itself this error but now DNS service is no starting "

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          6/11/2018 4:23:46 PM
Event ID:      1557
Task Category: Replication
Level:         Information
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      XYZDC11.com.au
Description:
This directory server has not completed a full synchronization of the following directory partition. This directory server will not available to clients until this task is completed.
 
Directory partition:
DC=com.au
 
An attempt to complete a full synchronization of this directory partition will be tried again later.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
    <EventID Qualifiers="16384">1557</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>5</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2018-11-06T05:23:46.304087400Z" />
    <EventRecordID>529</EventRecordID>
    <Correlation />
    <Execution ProcessID="492" ThreadID="1460" />
    <Channel>Directory Service</Channel>
    <Computer>XYZDC11.com.au</Computer>
    <Security UserID="S-1-5-7" />
  </System>
  <EventData>
    <Data>DC=Com,DC=au</Data>
  </EventData>
</Event>

aWindows PowerShell
Copyright (C) 2012 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> dcdiag /kcc
Invalid Syntax: Invalid option /kcc. Use dcdiag.exe /h for help.
PS C:\Windows\system32> repadmin /kcc

Repadmin: running command /kcc against full DC localhost
XYZDC
Current Site Options: (none)
Consistency check on localhost successful.

PS C:\Windows\system32> dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = XYZDCDC11
   The directory service on XYZDCDC11 has not finished initializing.
    In order for the directory service to consider itself synchronized, it must attempt an initial synchronization with
   at least one replica of this server's writeable domain.  It must also obtain Rid information from the Rid FSMO
   holder.
    The directory service has not signalled the event which lets other services know that it is ready to accept
   requests. Services such as the Key Distribution Center, Intersite Messaging Service, and NetLogon will not consider
   this system as an eligible domain controller.
   * Identified AD Forest.
   The directory service on XYZDCDC11 has not finished initializing.
    In order for the directory service to consider itself synchronized, it must attempt an initial synchronization with
   at least one replica of this server's writeable domain.  It must also obtain Rid information from the Rid FSMO
   holder.
    The directory service has not signalled the event which lets other services know that it is ready to accept
   requests. Services such as the Key Distribution Center, Intersite Messaging Service, and NetLogon will not consider
   this system as an eligible domain controller.
   Done gathering initial info.

Doing initial required tests

   Testing server: XYZDC\XYZDCDC11
      Starting test: Connectivity
         The directory service on XYZDCDC11 has not finished initializing.
          In order for the directory service to consider itself synchronized, it must attempt an initial
         synchronization with at least one replica of this server's writeable domain.  It must also obtain Rid
         information from the Rid FSMO holder.
          The directory service has not signalled the event which lets other services know that it is ready to accept
         requests. Services such as the Key Distribution Center, Intersite Messaging Service, and NetLogon will not
         consider this system as an eligible domain controller.
         ......................... XYZDCDC11 passed test Connectivity

Doing primary tests

   Testing server: XYZDC\XYZDCDC11
      Starting test: Advertising
         Warning: the directory service on XYZDCDC11 has not completed initial synchronization.
         Other services will be delayed.
         Verify that the server can replicate.
         Warning: DsGetDcName returned information for\\XYZDCDC02.domain.com, when we were trying to reach XYZDCDC11.
         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
         ......................... XYZDCDC11 failed test Advertising
      Starting test: FrsEvent
         ......................... XYZDCDC11 passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
         replication problems may cause Group Policy problems.
         ......................... XYZDCDC11 failed test DFSREvent
      Starting test: SysVolCheck
         ......................... XYZDCDC11 passed test SysVolCheck
      Starting test: KccEvent
         A warning event occurred.  EventID: 0x8000051C
            Time Generated: 11/06/2018   16:27:18
            Event String:
            The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the followin
g directory service has consistently failed.
         ......................... XYZDCDC11 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... XYZDCDC11 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... XYZDCDC11 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... XYZDCDC11 passed test NCSecDesc
      Starting test: NetLogons
         ......................... XYZDCDC11 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... XYZDCDC11 passed test ObjectsReplicated
      Starting test: Replications
         REPLICATION LATENCY WARNING
         XYZDCDC11: This replication path was preempted by higher priority work.
            from GOULBDC01 to XYZDCDC11
            Reason: The operation completed successfully.
            The last success occurred at (never).
            Replication of new changes along this path will be delayed.
         REPLICATION LATENCY WARNING
         XYZDCDC11: This replication path was preempted by higher priority work.
            from GOULBDC01 to XYZDCDC11
            Reason: The operation completed successfully.
            The last success occurred at (never).
            Replication of new changes along this path will be delayed.
         REPLICATION LATENCY WARNING
         XYZDCDC11: This replication path was preempted by higher priority work.
            from GOULBDC01 to XYZDCDC11
            Reason: The operation completed successfully.
            The last success occurred at (never).
            Replication of new changes along this path will be delayed.
         REPLICATION LATENCY WARNING
         XYZDCDC11: This replication path was preempted by higher priority work.
            from GOULBDC01 to XYZDCDC11
            Reason: The operation completed successfully.
            The last success occurred at (never).
            Replication of new changes along this path will be delayed.
         REPLICATION LATENCY WARNING
         XYZDCDC11: This replication path was preempted by higher priority work.
            from GOULBDC01 to XYZDCDC11
            Reason: The operation completed successfully.
            The last success occurred at (never).
            Replication of new changes along this path will be delayed.
         REPLICATION LATENCY WARNING
         XYZDCDC11: A full synchronization is in progress
            from GOULBDC01 to XYZDCDC11
            Replication of new changes along this path will be delayed.
            The full sync is 0 percent complete.
         [Replications Check,XYZDCDC11] A recent replication attempt failed:
            From XYZDCDC02 to XYZDCDC11
            Naming Context:
            The replication generated an error (8461):
            The replication operation was preempted.
            The failure occurred at 2018-11-06 16:31:21.
            The last success occurred at (never).
            1 failures have occurred since the last success.
         REPLICATION LATENCY WARNING
         XYZDCDC11: A full synchronization is in progress
            from XYZDCDC02 to XYZDCDC11
            Replication of new changes along this path will be delayed.
            The full sync is 87 percent complete.
         ......................... XYZDCDC11 failed test Replications
      Starting test: RidManager
         Warning: attribute rIdSetReferences missing from CN=XYZDCDC11,OU=Domain Controllers,
         Could not get Rid set Reference :failed with 8481: The search failed to retrieve attributes from the database.
         ......................... XYZDCDC11 failed test RidManager
      Starting test: Services
         ......................... XYZDCDC11 passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x00001796
            Time Generated: 11/06/2018   15:38:55
            Event String:
            Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and t
his server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 11/06/2018   16:21:43
            Event String:
            The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 11/06/2018   16:21:43
            Event String:
            The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 11/06/2018   16:21:43
            Event String:
            The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 11/06/2018   16:21:43
            Event String:
            The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
         A warning event occurred.  EventID: 0x00002724
            Time Generated: 11/06/2018   16:22:27
            Event String:
            This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you s
hould use only static IPv6 addresses.
         An error event occurred.  EventID: 0x00000416
            Time Generated: 11/06/2018   16:22:28
            Event String:
            The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain domain.com, has dete
rmined that it is not authorized to start.  It has stopped servicing clients.  The following are some possible reasons f
or this:
         An error event occurred.  EventID: 0x0000410B
            Time Generated: 11/06/2018   16:22:48
            Event String:
            The request for a new account-identifier pool failed. The operation will be retried until the request succee
ds. The error is
         ......................... XYZDCDC11 failed test SystemLog
      Starting test: VerifyReferences
         ......................... XYZDCDC11 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : dec
      Starting test: CheckSDRefDom
         ......................... dec passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... dec passed test CrossRefValidation

   Running enterprise tests on : domain.com
      Starting test: LocatorCheck
         ......................... domain.com passed test LocatorCheck
      Starting test: Intersite
         ......................... domain.com passed test Intersite
PS C:\Windows\system32>
PS C:\Windows\system32> repadmin
Usage: repadmin <cmd> <args> [/u:{domain\user}] [/pw:{password|*}]
                             [/retry[:<retries>][:<delay>]]
                             [/csv]

Use these commands to see the help:

/?          Displays a list of commands available for use in repadmin and their
            description.
/help       Same as /?
/?:<cmd>    Displays the list of possible arguments <args>, appropriate
            syntaxes and examples for the specified command <cmd>.
/help:<cmd> Same as /?:<cmd>
/experthelp Displays a list of commands for use by advanced users only.
/listhelp   Displays the variations of syntax available for the DSA_NAME,
            DSA_LIST, NCNAME and OBJ_LIST strings.
/oldhelp    Displays a list of deprecated commands that still work but
            are no longer supported by Microsoft.

Supported <cmd> commands (use /?<cmd> for detailed help):
     /kcc    Forces the KCC on targeted domain controller(s) to immediately
             recalculate its inbound replication topology.

     /prp    This command allows an admin to view or modify the
             password replication policy for RODCs.

     /queue  Displays inbound replication requests that the  DC needs to issue
             to become consistent with its source replication partners.

     /replicate  Triggers the immediate replication of the specified directory
             partition to the destination domain controller from the source DC.

     /replsingleobj Replicates a single object between any two domain
             controllers that have common directory partitions.

     /replsummary The replsummary operation quickly and concisely summarizes
             the replication state and relative health of a forest.

     /rodcpwdrepl Triggers replication of passwords for the specified user(s)
             from the source (Hub DC) to one or more Read Only DC's.

     /showattr Displays the attributes of an object.

     /showobjmeta Displays the replication metadata for a specified object
             stored in Active Directory, such as attribute ID, version
             number, originating and local Update Sequence Number (USN), and
             originating server's GUID and Date and Time stamp.

     /showrepl Displays the replication status when specified domain controller
             last attempted to inbound replicate Active Directory partitions.

     /showutdvec displays the highest committed Update Sequence Number (USN)
             that the targeted DC's copy of Active Directory shows as
             committed for itself and its transitive partners.

     /syncall Synchronizes a specified domain controller with all replication
              partners.

Supported additional parameters:

     /u:    Specifies the domain and user name separated by a backslash
            {domain\user} that has permissions to perform operations in
            Active Directory. UPN logons not supported.

     /pw:   Specifies the password for the user name entered with the /u
            parameter.

     /retry This parameter will cause repadmin to repeat its attempt to bind
            to the target dc should the first attempt fail with one of the
            following error status:

            1722 / 0x6ba : "The RPC Server is unavailable"
            1753 / 0x6d9 : "There are no more endpoints available from the
                            endpoint mapper"

     /csv   Used with /showrepl to output results in comma separated
            value format. See /csvhelp

Note: Most commands take their parameters in the order of "Destination or
      Target DSA_LIST", then a "Source DSA_NAME" if required, and finally the
      NC or Object DN if required.

        <DSA_NAME> (or <DSA_LIST>) is a Directory Service Agent binding
        string. For Active Directory Domain Services, this is simply a network
        label (such as a DNS, NetBios, or IP address) of a Domain Controller.
        For Active Directory Lightweight Directory Services, this must be a
        network label of the AD LDS server followed by a colon and the LDAP
        port of the AD LDS instance
            Examples (AD DS):  dc-01
                               dc-01.microsoft.com
            Examples (AD LDS): ad-am-01:2000
                               ad-am-01.microsoft.com:2000

      <Naming Context> is the Distinguished Name of the root of the NC
            Example: DC=My-Domain,DC=Microsoft,DC=Com
Note: Text (Naming Context names, server names, etc) with International or
      Unicode characters will only display correctly if appropriate fonts and
      language support are loaded.
PS C:\Windows\system32> repadmin

NSW DECC

Hello everyone,

I have my AD server at openstack. I restarted my AD server today and now I am unable to login into my AD server.

Getting the following error:

Any help will be highly appreciated.

Thanks

Anees

Can anyone help me to fix the issue. Our one of domain controller with OS windows server 2012 R2 keep on rebooting frequently like in 10 days 2 times . With below error

System process lsass.exe terminated unexpectedly with status code 1

Also do we have any details article that can be understand about the error code xxx status.

D.K Konar. NMS

Hi Guy's,

we have a slight issue with Microsoft Edge which cannot be resolved with our current build and we need to revert to I.E. as our default browser.

Can anyone let me know if there is a GPO that can disable Microsoft Edge and ENABLE Internet Explorer. Any information would be greatly received.

Regards.

Hi,

The users from our directory were, without a reason, segregated to several OUs so we restructured the directory and went from over a dozen OUs to 2, one for users, one for service/testing/other accounts.

After doing this I went to reconfigure a couple of endpoints that bind to the LDAP using full DNs, it's hardcoded on them. That's when I realized all DN attributes are gone from the directory. Not only those from the moved elements (the user accounts) but also the ones for computers accounts as I found out when I went to the OU where they are automatically place into.

It won't appear on the AD Users & Computers MMC modules nor using ADSI...   ...and, now forget everything I just stated because writing this I gave another pass to all the options as to avoid wasting anybody's time, and in doing so I connected to the directory using Apache Directory Studio and I can see distinguishedName still is in the users' attributes. It just won't appear in Active Directory Users and Computers, ADSI Edit nor Active Directory Administrative Center.

It's as it had been deprecated in some way, it's there but concerning Windows it isn't. I am remoting into a Domain Controller to check, you can't get any higher than that, authority-wise. There are only two, replication-error-free DCs, BTW. One holds all the FSMO roles and is referenced everywhere unlike the other that's there mainly for disaster recovery; it's a tiny directory. Very basic needs.

I asked other admins but they don't recall making changes on the domain other than moving the users which wouldn't affect computer accounts, I'm also told a SharePoint farm was installed but soon scraped in favor of a lighter solution--the VMs have been already deleted. Any idea what could be causing this behavior?

I bet you think this post is about you. Don't you…don't you. ♪

Hi there

This is an issue in the Azure ASR environment where is the DC is hosted on a windows server in Azure. 

We have a windows server which is added to a DC in North Europe. This VM is replicated and we did a failover to West Europe ( I think Azure just moves the disk over and creates the VM)

I'm able to login as a local admin to the server but I'm unable to add this server to the new DC in the west europe region.

Here are the steps we have tried

1) I removed the VM from the domain and added to a work group. Then I tried to rdp and I got this error  - "The trust relationship between this workstation and the primary domain failed" I'm unable to login to the server even as a local admin, for ex .\ansible and the password, it says incorrect details ( Have tried 10 times )

2) Added the IP of the DC server in west Europe to the NIC and restarted the VM, same error  - "The trust relationship between this workstation and the primary domain failed"

Is there anything I can try ?