Hi Team,

I have windows server 2012 R2. I am planning to take bare metal backup to one of my server and store it in another server.  I have two servers one main server and one sub server. However i have created one shared folder in my main server to store the bare metal copy. I have tried multiple attempts to take backup in windows server backup as per the process. Then selected the shared folder path. That folder has nearly 1 TB. But its not taking backup error shows "Not enough space". 

Error message: 

"Backup failed to complete. There is not enough disk space to create the volume shadow copy on the storage location. Make sure that for all volumes to be backup  the minimum required disk space for shadow copy Creation is available. This applies to be backup storage destination and volumes included in the backup. Minimum requirement. For volumes less that 500 megabytes, the minimum  is 50  megabytes of free space. for volumes more that 500 megabytes, the minimum is 320 megabytes of free space. Recommended: At least 1 gigabyte of free disk space on each volume if volume size is more that 1 gigabyte.

Detailed error: Insufficient storage available to create either the shadow copy storage file or other shadow coypu data."

However, I have 1 TB space as mentioned above, still i am getting this error message.

please help us on this with priority. 

Regards,

Balki

Error Message:

An asynchronous module or handler completed while an asynchronous operation was still pending.

Behavior:

The application tries to get the UserPrincipalfor an Active Directory user through System.DirectoryServices.AccountManagement.dll. When for example GetUser("berste") is called once (see code snippet at the end), everything works as expected. When GetUser("reisbru") is called again within the same HTTP request the following error is returned to the calling client:

An asynchronous module or handler completed while an asynchronous operation was still pending.

In the log files we see, that the call (FindByIdentity()) returns with the correct result (existing AD users are found / non existing AD users are not found) also for the 2nd call, but nevertheless the mentioned error is shown when UserPrincipal.FindByIdentity()is called more than once. 

In our tests we further figured out, that when the user to query is deactivated (not enabled) in the Active Directory the error (An asynchronous module or handler…) does not occur. 

Environment / Application:

Asp.Net WebApi 2 application running in IIS environment. Version: 4.6.2.

Sample Code:

public UserPrincipalInternal GetUser(string sUserName)

{

           var principalContext = new PrincipalContext(ContextType.Domain, domain, defaultOU, serviceUser, password);

           var userPrincipal = UserPrincipal.FindByIdentity(principalContext, IdentityType.SamAccountName, sUserName);

           UserPrincipalInternal userPrincipialInternal = new UserPrincipalInternal()

            {

               Guid = userPrincipal.Guid,

               Sid = userPrincipal.Sid?.ToString(),

               EmailAddress = userPrincipal.EmailAddress,

               GivenName = userPrincipal.GivenName,

               Surname = userPrincipal.Surname,

               SamAccountName = userPrincipal.SamAccountName

            };

           userPrincipal.Dispose();

           principalContext.Dispose();

           return userPrincipialInternal;

}

public void Working()

{

            var user1 = GetUser1("berste");

            LOGGER.Debug($"User surname: {user1.Surname}"); // "Berer"

            // No error occours. HTTP requests returns as expected.

}

public void NotWorking()

{

            var user1 = GetUser1("berste");

            LOGGER.Debug($"User surname: {user1.Surname}"); // "Berer"

            var user2 = GetUser1("reisbru");

            LOGGER.Debug($"User surname: {user2.Surname}"); // "Reisinger"

            // Result for user1 and user2 are correct, but ...

            // Error occurs: An asynchronous module or handler completed while an asynchronous operation was still pending.

}

System.DirectoryServices.AccountManagement.dll version 4.0.0.0

On one of our servers, somebody (who probably only was supposed to install the AD Management Tools), instead decided to install the AD DS Role on one of our Windows Server 2016 boxes!

At the moment, it displays (in Server Manager):

"Post-deployment Configuration:

Configuration required for Active Direct Domain Services at <servername>

Promote this server to a domain controller"

Can we just remove the AD DS Role, or do we have to continue with the promotion to a DC and then demote it afterwards?

Many thanks.

I am getting an error when running adprep /forest prep on a Server 2012 domain controller. The main parts of my domain are as follows:

2 - Domain Controllers running Server 2012

1 - Exchange Server 2013 running on Server 2012

I am trying to either do an in-place upgrade to my domain controllers to Server 2012 R2 or even introduce a Server 2012 R2 domain controller into the domain. The error I am getting is as follows:

[Status/Consequence]

The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.
[2014/04/05:09:12:38.873]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=38618886-98ee-4e42-8cf1-d9a2cd9edf8b,cn=Operations,cn=ForestUpdates,CN=Configuration,DC=DOMAIN,DC=local.
[2014/04/05:09:12:38.873]
LDAP API ldap_search_s() finished, return code is 0x20
[2014/04/05:09:12:38.873]
Adprep verified the state of operation cn=38618886-98ee-4e42-8cf1-d9a2cd9edf8b,cn=Operations,cn=ForestUpdates,CN=Configuration,DC=DOMAIN,DC=local.

[Status/Consequence]

The operation has not run or is not currently running. It will be run next.
[2014/04/05:09:12:38.873]
Adprep was about to call the following LDAP API. ldap_modify_s(). The entry to modify is CN=ad://ext/AuthenticationSilo,CN=Claim Types,CN=Claims Configuration,CN=Services,CN=Configuration,DC=DOMAIN,DC=local.
[2014/04/05:09:12:38.873]
LDAP API ldap_modify_s() finished, return code is 0x13
[2014/04/05:09:12:38.905]
Adprep was unable to modify some attributes on object CN=ad://ext/AuthenticationSilo,CN=Claim Types,CN=Claims Configuration,CN=Services,CN=Configuration,DC=DOMAIN,DC=local.

[User Action]

Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20140405091235 directory for more information.
[2014/04/05:09:12:38.936]
Adprep encountered an LDAP error.

Error code: 0x13. Server extended error code: 0x20b1, Server error message: 000020B1: AtrErr: DSID-030F112A, #1:
 0: 000020B1: DSID-030F112A, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9086f (msDS-ClaimIsValueSpaceRestricted)

DSID Info:
DSID: 0x181112dd
ldap error = 0x13
NT BUILD: 9600
NT BUILD: 16384

[2014/04/05:09:12:38.967]
Adprep was unable to update forest information.

[Status/Consequence]

Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.

[User Action]

Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20140405091235 directory for more information.

Any Help would be appreciated. Thanks!

I am having an issue extending the forest portion of the schema from Windows 2012 to Windows 2012 R2. The schema seems to be extended but we get a strange error at the end of the process. We cannot extend the domain schema due to this issue.

On the schema master I load the Server 2012 R2 dvd, navigate to the support\adprep folder in DOS and type

 Adprep /forestprep.

 The command prompt finishes with the following error messages

Adprep encountered an LDAP error.

 Error code: 0x13. Server extended error code: 0x20b1, Server error message: 000020B1: AtrErr: DSID-030F112A, #1:

                0: 000020B1: DSID-030F112A, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9086f (msDS-ClaimIsValueSpaceRestricted)

DSID Info:

DSID: 0x181112dd

ldap error = 0x13

NT BUILD: 9600

NT BUILD: 16384

Hello,

Is there any advantages or Recommendations for implementing Bastion Forest without Using PAM Tools?

Is it recommended to have this Isolated Environment for authentication for all Systems Administrators <Tiers Model> Taking in Considerations bellow Technologies:

Windows Server 2016 Active Directory Domain Services (AD DS)

Jump Servers in Bastion Forest Used for all Interventions in Productions Environment (SCCM,SCOM,SQL,etc..)

MFA for Jump Servers.

PAW for Tier 0 Admins

Credential Guard in Jump Servers

AppLocker 

LAPS 

Security Compliance Manager (SCM),

Thank You

Hi,

I installed a new RODC in an other site and when I know try to do the replication from one of my existing DC in my site:

Repadmin /showrepl DC

    LDAP Error 81(0x51): Server Down
    Server Win32 Error 0(0x0):
    Extended Information:

Repadmin /bind

LDAP Error 81(0x51): Server Down
Server Win32 Error 0(0x0):
Extended Information:

I'm able to start the replication from the RODC through Sites and Services, but not from my local DC.

I got the error rpc Server not available.

Hi Everyone,

my Cisco Ironport E-mail gateway is connected with Windows AD Servers. Every time when new e-mail is comming in, Cisco Ironport trying to establish connection to one of our AD servers and checking if recipient e-mail address exist in the AD. If not e-mail is rejected. More or less this is how my system is integrated with AD. Few days ago Windows team told me that my system trying to open too many connections to AD and in the result Windows Security log is flooded (>6mln) with this kind of errors:

#################

LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=GLS0020.torp.mir TaskCategory=Credential Validation OpCode=Info RecordNumber=1363466953 Keywords=Audit Failure Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: TEC-LDAP-I-IRON1 Source Workstation: GLS0020 Error Code: 0xC0000371

#################

As I see in the AD client logs (Ironport LDAP logs), Ironport trying to establish 1 connection to AD Server, but AD rejecting it.After several tries connection is established. Some times connection is established after 2-10 tries and some times more than 1000.

########### Ironport ldap log

Mon Nov 26 15:36:16 2018 Debug: LDAP: (accept) Query (mail=sdfsdf@testdomain.de) to server InternLDAP (10.201.134.182,10.201.134.183:636)
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.182(10.201.134.182:636) (20) Connection Error: [Errno 54] Connection reset by peer
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.182(10.201.134.182:636) this server marked DOWN
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.182(10.201.134.182:636) (20) Connection interrupted (writer)
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.182(10.201.134.182:636) (21) connecting to server
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.183(10.201.134.183:636) (19) Connection Error: [Errno 54] Connection reset by peer
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.183(10.201.134.183:636) this server marked DOWN
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.183(10.201.134.183:636) (19) Connection interrupted (writer)
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.183(10.201.134.183:636) (20) connecting to server
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.183(10.201.134.183:636) (20) connected to server
Mon Nov 26 15:36:16 2018 Debug: LDAP: Could not find a server to follow continuation: ldaps://ForestDnsZones.corp.dir/DC=ForestDnsZones,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: Query (mail=sdfsdf@testdomain.de) could not follow continuation: ldaps://ForestDnsZones.corp.dir/DC=ForestDnsZones,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: Could not find a server to follow continuation: ldaps://DomainDnsZones.corp.dir/DC=DomainDnsZones,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: Query (mail=sdfsdf@testdomain.de) could not follow continuation: ldaps://DomainDnsZones.corp.dir/DC=DomainDnsZones,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: Could not find a server to follow continuation: ldaps://corp.dir/CN=Configuration,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: Query (mail=sdfsdf@testdomain.de) could not follow continuation: ldaps://corp.dir/CN=Configuration,DC=corp,DC=dir
Mon Nov 26 15:36:16 2018 Debug: LDAP: (accept) Query (mail=sdfsdf@testdomain.de) lookup success, (10.201.134.183:636) returned 0 results
Mon Nov 26 15:36:16 2018 Info: LDAP: Bounce query InternLDAP.ldapaccept MID 136648 RID 0 address sdfsdf@testdomain.de
Mon Nov 26 15:36:16 2018 Debug: LDAP: InternLDAP:10.201.134.182(10.201.134.182:636) (21) connected to server

########### Ironport ldap log

Is it normal that AD Server rejecting so many connections ?

I have asked Windows Team to enable debug mode for AD server, just to check if what is the reason, that AD rejecting 90% of connections ? They told me that is not possible, is it true? Is it realy not possible to check in Windows Servers why system rejecting connections ?

What is exacly means that error:

Error Code: 0xC0000371

Everytime when AD rejecting connection this error appear, what is mean ?

Thanks in advance for any support.

Cheers

Konrad

We have windows server 2016 installed with ADDS running on it. Last year they have upgraded the server from Windows 2008 R2 to Windows 2016 during this process they have renamed the server name eg:test (old server name) to test1. Now in our ADDS if  groups inside "builtin" container are added in NTFS permission on a folder shows new domain name eg: test1\Users,but when Domain Admin group in "Users" container added to NTFS shows test\Domain Admins(olddomain name).But the members of Domain Admin group are not able to access the folders though the group as full previledges on the folder. When same user added to Users group inside the Buildin container the  members are able to access it. I predict this is because of the naming conflict between the two container and I am not really aware of the process they have taken during the migration.Please provide your valuable advice and  on how to approach this issue.



I am at a loss here. I have checked the network settings the <g class="gr_ gr_41 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="41" id="41">dns</g> is the same <g class="gr_ gr_58 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="58" id="58">ip</g> address of the server. only one NIC is enabled. I have flushed <g class="gr_ gr_292 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="292" id="292">dns</g> and registered <g class="gr_ gr_348 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="348" id="348">dns</g> followed by reset of <g class="gr_ gr_416 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling" data-gr-id="416" id="416">netlogon</g> and <g class="gr_ gr_435 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="435" id="435">dns</g>. Still no luck. I notice that in the forwards that the domain only shows an A record as static. 

<g class="gr_ gr_1071 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling" data-gr-id="1071" id="1071">ipconfig</g> /all 

Enabling ipv6 <g class="gr_ gr_686 gr-alert gr_tiny gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling multiReplace" data-gr-id="686" id="686">i</g> get this error on <g class="gr_ gr_699 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling" data-gr-id="699" id="699">dcdiag</g> 

 Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator.MERCEDES>dcdiag test:dns
Invalid Syntax: Invalid option test:dns. Use dcdiag.exe /h for help.

C:\Users\Administrator.MERCEDES>dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = Mercedes2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\MERCEDES2
      Starting test: Connectivity
         ......................... MERCEDES2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\MERCEDES2

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
 ERROR: NO DNS servers for IPV6 stack was found
         ......................... MERCEDES2 passed test DNS

   Running partition tests <g class="gr_ gr_930 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="930" id="930"><g class="gr_ gr_925 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="925" id="925">on :</g></g> ForestDnsZones

   Running partition tests <g class="gr_ gr_927 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="927" id="927"><g class="gr_ gr_920 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="920" id="920">on :</g></g> DomainDnsZones

   Running partition tests <g class="gr_ gr_931 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="931" id="931"><g class="gr_ gr_926 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="926" id="926">on :</g></g> Schema

   Running partition tests <g class="gr_ gr_923 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="923" id="923"><g class="gr_ gr_921 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="921" id="921">on :</g></g> Configuration

   Running partition tests <g class="gr_ gr_928 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="928" id="928"><g class="gr_ gr_922 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="922" id="922">on :</g></g> Mercedes

   Running enterprise tests <g class="gr_ gr_929 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" data-gr-id="929" id="929"><g class="gr_ gr_924 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Punctuation only-del replaceWithoutSep" data-gr-id="924" id="924">on :</g></g> Mercedes
      Starting test: DNS
         Test results for domain controllers:

            DC: Mercedes2.Mercedes
            Domain: Mercedes


               TEST: Basic (Basc)
                  Warning: The AAAA record for this DC was not found

               TEST: Dynamic update (Dyn)
                  Warning: Failed to delete the test record <g class="gr_ gr_933 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling" data-gr-id="933" id="933">dcdiag</g>-test-record i
n zone Mercedes

               TEST: Records registration (RReg)
                  Network Adapter
                  [00000012] Broadcom NetXtreme Gigabit Ethernet:
                     Warning:
                     Missing AAAA record at DNS server 206.89.179.3:
                     Mercedes2.Mercedes

               Warning: Record Registrations not found in some network adapters

               Mercedes2                    PASS WARN PASS PASS WARN WARN n/a
         ......................... Mercedes passed test DNS

C:\Users\Administrator.MERCEDES>

Is there something I am missing here? This was a server 2000 upgraded to 2008 r2. When I disable ipv6 the error is still present but <g class="gr_ gr_1502 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" data-gr-id="1502" id="1502">dcdiag</g> runs all pass. 

There were two DCs before. One of them was dead a while back. So I deleted the dead one from AD and AD sites and services. But event viewer still generates the error saying 

I checked dfs replication and only one server exists. Does it mean that I should delete the existing one from dfs replication since it is the only DC there and nowhere to replicate to?

Please advise!

Thank you very much!

Scenario:

Platform : Windows 2012 R2 Single forest -Single domain having 20 Domain Controllers and trust is in place with couple of different organization Domains and Forests. Root DC and other DCs are windows 2012R2 only for our domain. All DCs are AD-Integrated DNS.  

Requirement: Plan to provision 4 nos of Windows2016 DCs and decommission all other existing 2012R2 DCs. What are steps to follow to complete this entire activity. 

Our Plan: Add all 4 servers with O/S 2016 one by one within current domain and promote them as DCs individually. Transfer the FSMO roll to identified newly promoted 2016 DC. Check DC replication after validating site replication. Then keep this hybrid mode for 4-5 days and check for any issues then decommission 2012 R2 Dcs one by one. Old Root DC will be decommissioned at last.

As this is very critical activity, we need some expert suggesstion and thus any suggestions would be highly appreciated.

Regards,

SoumenG

We have a requirement to configure  windows detailed logs like Security audit and other minimum logs configuration for an organization.
we have 15 windows 2012  Domain Controllers which has 2 CPU ,4 GB ram and 50 GB one system Drive . what is the best practice to configure the logs and what will be the performance and storage impact?

Thanks

Baiju Mathew

Hello, All!

How i can found users in some OU in domain in case when bindDN it is a root of domain?

As far as i understand i must use https://ldapwiki.com/wiki/LDAP_MATCHING_RULE_DN_WITH_DATA for this.

I'm stuck at creating filter. My variant is:

(Common-Name:1.2.840.113556.1.4.2253:=S:4:myou:dc=td,dc=local)

What i must use at place where "Common-Name"?

What i must use at place where "S:4:myou"?

Will be glad for any information related to this issue.

Hello everybody,

we have a problem with the AD. In the past we upgraded some of our DC's from server 2012 to server 2016. We have a forest - not yet all subdomains are upgraded.
As recommended by Microsoft we did not an inplace upgrade. We did a demote,unjoin and after a new installation with same hostname and IP we joined and promoted it.

Since a longer time we get Event ID 1864 on these DCs:

This is the replication status for the following directory partition on this directory server. 
Directory partition:
DC=domain,DC=local
This directory server has not recently received replication information from a number of directory servers.
The count of directory servers is shown, divided into the following intervals. 
More than 24 hours:
1 
More than a week:
1 
More than one month:
1 
More than two months:
1 
More than a tombstone lifetime:
0 
Tombstone lifetime (days):
180 
Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes 
and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion 
of some objects, and may be automatically blocked from future replication until it is reconciled. 
To identify the directory servers by name, use the dcdiag.exe tool. 
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers.   
The command is "repadmin /showvector /latency <partition-dn>".

A repadmin /showvector /latency dc=domain,dc=local shows the following:

Caching GUIDs.
..
Site1\ROOT-DC2 (deleted DSA)           @ USN  31227390 @ Time 2018-03-15 10:17:20
Site1\ROOT-DC1\0ADEL:b738d30e-8a3a-4175-ab4f-27bb0652857e (deleted DSA) @ USN  41123970 @ Time 2018-03-20 13:13:06
Site1\SUB1-DC2 (deleted DSA)            @ USN  53882505 @ Time 2018-03-20 15:50:21
Site1\SUB1-DC1 (deleted DSA)            @ USN  59794124 @ Time 2018-03-22 10:03:16
Site2\SUB2-DC2 (deleted DSA)              @ USN  12111634 @ Time 2018-04-12 12:49:55
Site2\SUB2-DC1 (deleted DSA)              @ USN  202422306 @ Time 2018-04-12 15:47:08
Site1\SUB3-DC1                          @ USN  15696469 @ Time 2018-08-13 13:57:02
Site2\SUB2-DC1                            @ USN    653303 @ Time 2018-08-13 14:02:41
Site3\SUB3-DC2                          @ USN  10636306 @ Time 2018-08-13 14:03:47
Site2\SUB2-DC2                            @ USN   1012325 @ Time 2018-08-13 14:05:55
Site5\SUB6-DC3                        @ USN   9335718 @ Time 2018-08-13 14:07:02
Site6\SUB4-DC2                          @ USN   2745623 @ Time 2018-08-13 14:12:03
Site4\SUB5-DC2                          @ USN  130326526 @ Time 2018-08-13 14:12:30
Site1\ROOT-DC1                         @ USN   1623323 @ Time 2018-08-13 14:23:55
Site1\SUB4-DC1                          @ USN  25724705 @ Time 2018-08-13 14:24:10
Site1\SUB8-DC1                        @ USN    6287872 @ Time 2018-08-13 14:24:16
Site1\SUB1-DC2                          @ USN   43936554 @ Time 2018-08-13 14:47:56
Site1\ROOT-DC2                         @ USN   2334008 @ Time 2018-08-13 14:48:48
Site1\SUB5-DC1                          @ USN  25602431 @ Time 2018-08-13 14:49:02
Site1\SUB7-DC1                          @ USN   4156821 @ Time 2018-08-13 14:49:02
Site1\SUB1-DC1                          @ USN   3773274 @ Time 2018-08-13 15:39:50

We deleted these old objects in the trash. But we still see here (above) these entries like "Site1\ROOT-DC2 (deleted DSA)".
A metadata cleanup did not help.

Is there any way to get rid off these "deleted DSA" entries and so also from Event ID 1864?

Thanks for your ideas!

Wolfgang

//update:

I forgot to mention that before we setup the new DC we did a "repadmin /syncall /AdePa" till we got no errors.

Hi Guys,
Bare with me I won't be as technical as even a fraction of you here.

I am looking at deploying a completely new windows environment DC/AD etc. There is currently no infrastructure setup and I have been looking at different deployment possibilities. Would be looking at setting this up for multiple sites in the UK, NY & LA

I am looking at possibly a hybrid solution (On-Prem & Cloud) via AWS or Azure. Firstly as I haven't been exposed to a windows domain environment hosted in either, does anyone have any recommendations or insight into either they could share? 

Secondly, I was wondering if there was a purely cloud-based option using VM's in either AWS or Azure? I am obviously opposed to setting up such an environment due to low guaranteed availability & bandwidth constraints of everything using the IGW.

The business would like the possibility explored and there are multiple DaaS which don't offer GPO, which is a deal breaker.

Users:

UK - 70, NY - 15, LA - 8

No existing domain or windows services currently running (Except DNS)

If you need to know anything to get a better feel of our need please ask.

I am currently working a contract with a company running their file shares on dfs on 2008 R2. They would like to update to 2016, and migrate all data to a different SAN provider. Normally this would not be an issue, but I have (as always seems to be the case) run into a bit of a rub.

For each of the shared drives, the company policy has been to create a RO and RW security group in A.D., and control NTFS permissions through these groups. There are literally hundreds upon hundreds of each group, covering folders and subfolders and third-grandchildren folders.

On top of this horrible structure, a LARGE number of folders were deemed "too private" for anyone but a select few, and thus have inheritance broken on them. Still more on top of this were deemed "way too private" and even the administrators were removed. So even as an Enterprise Admin there are many directories I get an access denied on.

While the removal of admin access is bad enough, with the broken inheritance it means that in a particular directory with 15 subfolders I may only see 6. So I end up "not knowing what I don't know" as I can't see the folders I have no access to.

So I am just looking for suggestions on a best practice way to go about resolving this, at least to the point where I know what I don't have access to, so I can then put it back on the directory owner to move their own data to the new dfs root. The only thing I can think of is to do an initial trial copy of data, and just record what directories it fails on, but I am concerned the ones I cannot even see won't throw an error. With ~80TB of data to go through, it is looking like it is going to be a nightmare.