Hi,

in organization two domain with two way trust qwe.com and zxc.com. I add two new domain controllers to zxc.com and have a problem.

When I add user from qwe.com to group of zxc.com, and after that try to show members.

On new domain controller I cam see this

 Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

and on old domain controllers - ok

From new domain controller I can search users from qwe.com directory. In ForeignSecurityPrincipals OU (on new domain controller) I can see objects like SID and can not see there attributes. On the old controller, I can see the objects and their properties.

BPA error is:

Title:
Domain controller DC02.zxc.com must have "Access this Computer from the Network" granted to the appropriate security principals
Severity
Error
Problem:
Domain Controller DC02.zxc.com does not have user right "Access this computer from the network" granted to 'Builtin Administrators', 'Enterprise Domain Controllers' or 'Authenticated Users', or has the user right "Deny access to this computer from the network" assigned to either of those groups or 'Everyone'.

Impact:
Replication operations initiated by other domain controllers in the domain or by administrators may fail. Users and computers may also experience failure to apply Group Policy objects.

Resolution
Verify that the domain controllers in the domain zxc.com have this user right granted to the appropriate security principals. Using Group Policy Management and Group Policy Results, verify that the winning Group Policy for the "Access this computer from the network" user right grants that right to the 'Builtin Administrators', 'Enterprise Domain Controllers', and 'Authenticated Users' groups. Verify that the policy setting "Deny access to this computer from the network" does not have 'Everyone', 'Authenticated Users', 'Builtin Administrators' or 'Enterprise Domain Controllers' groups defined in it.

I check policy, and all permission are default.

Title:
Domain controller DC02.zxc.com must have "Enable computer and user accounts to be trusted for delegation" granted to the Builtin Administrators security group

Problem:
Domain controller DC02.zxc.com must have the "Enable computer and user accounts to be trusted for delegation" user right granted to the Builtin Administrators security group if domain controller DC02.zxc.com is used as a replication partner during a domain controller promotion.

Impact:
Installation of additional domain controllers (promoting replica domain controllers) in domain zxc.com may fail if they select domain controller DC02.zxc.com as a replication partner during the installation.

Resolution
Verify that the current domain controllers in domainzxc.com  have the "Enable computer and users accounts to be trusted for delegation" user right granted to the Builtin Administrators group

http://go.microsoft.com/fwlink/?LinkId=168842

http://go.microsoft.com/fwlink/?LinkId=168864

Hi All,

I have been asked to create some ADM users on a new domain and put the users into a group. This is no problem but I would like to know what access to the domain this particular group has.

How do I identify what access the group has as part of the Domain / Forest. Judging by the naming convention it appears to be some kind of admin group but I really cant be sure.

Any help here would be greatly appreciated.

Regards.

Hi,

I have two domain controller in my network. Any of these domain controllers every 5 minutes encountered the following error:

Security policy cannot be propagated. Cannot access the template. Error code = 3

I ran the following command on all of the computers in order to sync their times with domain controllers.

net time \\(domain controller name) /set /y

And when I Stop the File Replication Services I got the following error:

Image may be NSFW.
Clik here to view.

Any help would be appreciated.

Thanks

We have a really strange issue here with our setup on our new 2012 R2 DC with the PDC role. We cannot get it to synchronise with an external time source and it always reverts to Local CMOS Clock.

Firstly it's important to mention that this machine is running as a VM under ESXi 6.0 which has "Synchronize guest time with host" switchedoff under the VM properties.

These are the steps I have run through and where I am with it.

C:\Windows\system32>net stop w32time
The Windows Time service is stopping.
The Windows Time service was stopped successfully.

C:\Windows\system32>w32tm /unregister
W32Time successfully unregistered.

C:\Windows\system32>w32tm /register
W32Time successfully registered.

C:\Windows\system32>net start w32time
The Windows Time service is starting..
The Windows Time service was started successfully.

C:\Windows\system32>w32tm.exe /config /manualpeerlist:"1.uk.pool.ntp.org" /syncf
romflags:manual /reliable:YES /update
The command completed successfully.

C:\Windows\system32>w32tm /config /update
The command completed successfully.

C:\Windows\system32>w32tm /query /peers
#Peers: 4

Peer: 1.uk.pool.ntp.org
State: Active
Time Remaining: 44.6093371s
Mode: 1 (Symmetric Active)
Stratum: 0 (unspecified)
PeerPoll Interval: 0 (unspecified)
HostPoll Interval: 6 (64s)

Peer: 1.uk.pool.ntp.org
State: Active
Time Remaining: 44.7187111s
Mode: 1 (Symmetric Active)
Stratum: 0 (unspecified)
PeerPoll Interval: 0 (unspecified)
HostPoll Interval: 6 (64s)

Peer: 1.uk.pool.ntp.org
State: Active
Time Remaining: 44.8280879s
Mode: 1 (Symmetric Active)
Stratum: 0 (unspecified)
PeerPoll Interval: 0 (unspecified)
HostPoll Interval: 6 (64s)

Peer: 1.uk.pool.ntp.org
State: Active
Time Remaining: 44.9374612s
Mode: 1 (Symmetric Active)
Stratum: 0 (unspecified)
PeerPoll Interval: 0 (unspecified)
HostPoll Interval: 6 (64s)

C:\Windows\system32>w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)


[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.DLL (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NTP (Local)
NtpServer: 1.uk.pool.ntp.org (Local)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.DLL (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)


C:\Windows\system32>w32tm /resync /force
Sending resync command to local computer
The computer did not resync because no time data was available.

I am under the impression that everything is set correctly so I cannot understand why it refuses to synchronise each time. I have tried different time servers such as time.windows.com and another local one which all achieve the same results.

Once again, time synchronisation within VMware tools is definitely off.

I try to set a lab with two forest and make forest trust.

When I add UPN e.g. contoso.com into two forest, it will have conflict when workstation logon, AAD connect can sync to object to O365.

If a company have two forest, they do forest trust but their UPN Suffixes can't be share?

If they need to manage email , they can manage on one forest only?

Thanks.

Hey Everyone,

I'll be assisting an entrepreneur to build out a Managed Service Provider. We plan on assisting different clients(domains). What are the possible ways to manage different domains from one domain without needing to have a trust relationship?

Hi everyone:

I have two tier-PKI with server-1 as sub-ordinate enterprise/issuing CA. I have installed 'Certificte Authority Web Enrollment' on Server-2. when I open Server-2.domain.com/certsrv and go to ''Download a CA certificate, certificate chain or CRL' it returns 'Error: An unexpected error has occurred: The Certification Authority Service has not been started.' However it works fine from https://localhost/certsrv on server-2.

My problem is same as in the following thread and I have tried the solution advised but it hasn't worked for me:

https://social.technet.microsoft.com/Forums/en-US/4c7f41a5-21b0-470d-8c78-0fc237eb1da0/web-enrollemet-page-giving-error-quot-an-unexpected-error-has-occurred-the-certification?forum=winserversecurity

I have tried the following but nothing has changed:

https://support.microsoft.com/en-gb/help/300867/error-message-the-certification-authority-service-has-not-been-started

https://blogs.technet.microsoft.com/askds/2009/04/22/how-to-configure-the-windows-server-2008-ca-web-enrollment-proxy/

Please advise if I am missing something. Many thanks

Can someone tell me if it would be wise to put domain controllers, DNS servers and DHCP servers behind a load balancer?

I know for clients and servers and other systems that use the DC locator process that does not really make a difference but i wanted to offer HA for those systems and applications where you have to type in one or more domain controller or DNS server or DHCP server.

Also to help when we replace domain controllers. if things are pointed to ADLB.yourdomain.local instead of AD1.yourdomain.local and AD2.yourdomain.local. when times comes and you need to upgrade those 2 AD domain controllers you can include AD3.yourdomain.local and AD4.yourdomain.local and then remove the other 2 and no one will know anything different.

This came up in a discussion because we want to upgrade some 2008R2 domain controllers and some 2012R2 domain controllers to Windows Server 2016 and want to make it a painless as possible

I created a test AD environment that consists of a forest and a tree domains in, of course, transitive trust relationship.

The two domains are acme.local (forest) and provence.local (tree). DNS zones created in provence.local are unable to replicate to acme.local, but replication from acme.local to provence.local is OK.

Any insight?

Thanks,

Mike

Hi, Richard.

I'm not sure where to post question so i'll ask it here and you can tell me if you want me to ask it somewhere else. I have a domain named, lets say, foo.bar. Using Multi-valued Distinguished Name With Security Principal Editor i want to add another member to some object. When I select user or user group, lets say MyGroup, from that domain (after clicking 'Add Windows Account...' button), In the members window I see MyGroup@FOO as if FOO is domain. I'm not sure why I see selected group in that format and if it is expected or not. I expected MyGroup@foo.bar. Do you know what has happened? Thank you in advance.

Kind regards,

So I have been through all the online help forums, tutorials, videos, and other online research and I cannot seem to find a solution to my problem. I was trying to access folders located on the file share service on the DC and am unable to as I get the error code 0x80070035 which is the "Network path cannot be found". Then I go into the event viewer and get and error with an event ID: 1058. 

"The processing of Group Policy failed. Windows attempted to read the file %9 from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 
a) Name Resolution/Network Connectivity to the current domain controller. 
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). 
c) The Distributed File System (DFS) client has been disabled."

OpCode: (1)

I tried to resolve a, b, and c; but all of the services were on, sharing permissions were enabled, and nothing was fixing this error. I've tried to force the DFS to replicate, however it cannot do that because again, "Network Path not found". 

I am able to ping, nslookup, the DC

I ran a dcdiag /v /c /q and the following tests failed:

It appears that I'm having an authentication failure/issue, but I cannot find a solution. I am aware that some of the configuration with whats placed in the DC and not having a BDC are faults on my part, but this is the first server I've put up and I am trying to learn how to make it right so I don't run into this issue again or can avoid it.

I've tried deleting the replicated dfs files, but it won't allow me access to that, I've tried running the DC in a virtual environment and trying to fix/repair with the installation media.

If you'd like me to run other commands I am more than happy to do so. I hope this is enough information for someone to point me in the right direction. Any help would be much appreciated. I'll post some images as well once my account is verified.



Thank you in advance,

Tony 

I'm having some occasional trust issues on some workstations on my domain.

My DC server's clocks were a bit behind a month or so ago and I corrected them.

However, some workstations occasionally are having trust issues but are fine after a reboot.

What does resetting a computer account in active directory do?

As in, will the domain user accounts still be on the workstation? Do I need to anything else to get it working as it was before?

Thanks!

Hello All,

we have 2012 R2 Domain controller in our environment.

now planning to install RODC. and could not see ActiveDirectoryRODCUpdate under configuration/forest updates in ADSI.

need to know from where can i get the Adprep.exe file.

i heard in 2012 we dont have to get it from mount CD drive, it is by default available

Can any one advise on how to proceed.

regards

Aamir Masthan

NA

A few weeks ago the domain controllers in our Lab domain was attempted to be migrated from FRS to DFS. The domain is at Windows 2008 R2 functionality level and the DC's are on Windows 2019. When the migration was initiated with Dfrsmig this error appeared every 5 minutes when it tries to migrate SYSVOL:

DFSR was unable to copy the contents of the SYSVOL share located at C:\Windows\SYSVOL\domain to the SYSVOL_DFSR folder located at C:\Windows\SYSVOL_DFSR\domain. This could be due to<g class="gr_ gr_222 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" data-gr-id="222" id="222">lack</g> of availability of disk space or due to sharing violations. 

Additional Information: 
Sysvol NTFRS folder: C:\Windows\SYSVOL\domain 
Sysvol DFSR folder: C:\Windows\SYSVOL_DFSR\domain 
Error: 367 (The process creation has been blocked.)

Replication between the two domain controllers <g class="gr_ gr_265 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="265" id="265">were</g> working without any issues. I've tried just about everything to fix the problem, adjusting permissions on the folders, running the Robocopy command manually (which did copy all the folders and files without error), deleting all GPO's not being used, running DCGPOFIX, removing all DC's except one, even performing a System State restore to a new DC (with an auth restore of AD and Sysvol). Rolling back the migration and starting again.<g class="gr_ gr_1532 gr-alert gr_gramm gr_inline_cards gr_run_anim Style replaceWithoutSep" data-gr-id="1532" id="1532">Nothing</g> has corrected the issue. 

Has anyone seen this error or have any suggestions?

I have 2 DC (DC1 and DC2, both 2012 R2). I used to have a 3rd DC (DC_TMP, 2k8 R2).

DC_TMP has been decommissioned, and any and all references to the server have been removed (ADUC, ADSI, ADSS, DFS management, ntdsutil knows nothing about that server either.

From ALL I can see, that server does not exist anywhere.

Yet, DFSR is failing miserably claiming that it cannot communicate with DC_TMP....obviously!

Event 5008: 

Event 4612:

The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner DC_TMP.contoso.com. 

I went through all the articles I could find,, including and not limited to this one https://social.technet.microsoft.com/Forums/windowsserver/en-US/fa802a02-6f8f-4768-9f29-04d62986d305/dfsr-fails-with-partner-that-no-longer-exists?forum=winserverDS, performed an authoritative replication, all outputs saying it was successful yet nothing has been synchronized.

I see 2 options from here:

1) I somehow change the entry in some configuration file somewhere from DC_TMP to DC1

2) Delete the replication and recreate it (DFS management is currently listing DC1 and DC2 as it should be)

I'm at a complete loss at this point.

Thanks.

Hello

I have a Hyper-V VM which is an AD Domain Controller

I need to enter DS Restore Mode

I cannot logon to the server console as have forgotten the password

therefore I boot the VM from the Windows Server 2012 R2 installation CD and go into the repair options, and to the command console where I can run commands such as

bcdedit /set safeboot dsrepair

however when I do this I receive the following error

An error occurred while attempting to reference the specified entry. The system cannot find the file specified

I think this may be because although the OS is shown on C: because I booted from a CD image (windows ISO) the system boots to X: drive. Therefore I think bcdedit is confused as it booted from X: but the OS etc is on C:

Therefore I have been looking at a way to tell bcdedit to look at C: for all its files/information. I tried using the /Sysstore and also the /Store parameters but I keep getting symtax errors

Can anyone please tell me how to use bcdedit sucessfully to set a computer to AD restore mode, when you canot logon to the server console initally (e.g. you are booting from CD)

Thanks very much

Charlie

I'm trying to restrict logon access to our org's domain controllers using an Authentication Policy and/or an Authentication Policies with an Authentication Policy Silo.  I'm working with a single privileged account, a bastion host, a management server and the forest domain controllers.  The only account not in the target Active Directory forest is the bastion host.

I've tried the instructions in each of the following articles, with no results:

Authentication Policies and Authentication Silos – Restricting Domain Controller Access

Using Authentication Policies to Restrict Privileged User Account Logons

How To Configure Protected Accounts - Authentication Policies

I've tried the suggestions in this thread and the few others I've managed to find:https://social.technet.microsoft.com/Forums/windowsserver/en-US/751659d0-aae0-486e-ab6d-820e5384a855/authentication-policies-and-silos-not-working-properly?forum=winserverDS

I've even tried removing the non-domain joined bastion from the equation by replacing it with a domain-joined workstation with direct access to the management server. 

Regardless of what I do, I continue to see events in the AuthenticationPolicyFailures-DomainController logs on the domain controllers like the following:

Image may be NSFW.
Clik here to view.

Additionally, after poring over the existing documentation, I've searched for more detailed information on the different parts of the authentication policy and how authentication policies work and have turned up nothing.

Has anyone set up an Authentication Policy and/or Authentication Policy Silo that actually works?  Is there any detailed information out there on the different parts/attributes of an authentication policy?

Hi,

I have two domain controller in my network. Any of these domain controllers every 5 minutes encountered the following error:

Security policy cannot be propagated. Cannot access the template. Error code = 3

I ran the following command on all of the computers in order to sync their times with domain controllers.

net time \\(domain controller name) /set /y

And when I Stop the File Replication Services I got the following error:

Image may be NSFW.
Clik here to view.

Any help would be appreciated.

Thanks