I need to stop Local devices and resources (Drive access) for only one user in remote desktop connection , I can enable/disable it for all users but I don't know how to activate it for one user.

Hello Team,

Please help me we have DHCP server and active directory we are facing a issue ,we have configured Scope with DNS IP of our domain controller . But we we connect Laptop to our network  it gets IP from DHCP server  from laptop we are able to resolve Domain controller when we perform domain join we get error DNS resolution  . we we put DNS IP manually we are able to join the domain. that why customer want to migrate DC from 2008 to 2016 and want to resolved this problem

Hello Team ,

We have DC server and ADC server domain and forest functional level 2000 Native . DC and ADC sync successfully if our DC Down ( which is hold all FSMO role)  user not able to access file folder and network resource . when our DC again online user to able to access the file folder and network resource.

Hi,

We have DNS scavenging enabled for some time now and has been working fine. Last week, someone changed the scavenging Refresh and Non-refresh interval on a zone to 9 hours each and it ended up deleting some crucial records from DNS. Though auditing shows the records got deleted by scavenging, is there a way to check who messed up with scavenging?
We have auditing DS Access auditing enabled but there's no log related to this.

Hello Team,

We have DC and ADC  , DC and ADC sync properly after change the password user not able to login , user able to login with OLD password are reset the password with SAME password . DC and ADC Sync successfully .but user not able to login .

I new install RODC. then  assign to UserA.

This RODC do not enable DNS and GC.

When I access to RODC via UserA. In ADUC can change DC to RWDC. then UserA can modify "member of".

if ADUC connect to RODC, any user can read-only.

I need to allow UserA access to RODC only.

How can I disable change DC in ADUC for UserA. or disable modify "member of" permission?

I am facing a issue in Group Policy.

I have five sites and only on two sites group policy is successfully applied while on three sites i am facing issue.

Please see below screen shots of affected sites.

Image may be NSFW.
Clik here to view.

Site 02

Image may be NSFW.
Clik here to view.

Site 03 

Image may be NSFW.
Clik here to view.

And the site in which polices is successfully applied.

Image may be NSFW.
Clik here to view.

I want to delete bulk users from csv file.  Please provide me the script.

Hello ,

we are planning to rebuild our AD infrastructure .we have many remote sites in our country and other in internationnal.

our main DC is a VM in Vmware and in other Sites we have GLB DCs . in each Site there is one  DC as global catalog .

we plan to reduce the number of the DC in the Sites and to implement a new physical DC in our main office to replace the DC VM  .

for you , what are the parameters should i based on to define this Site should has a DC or Not ?

for me is the bandwith and number of ressources in the site (  users, printers ,...) but i dont have a good statistics like for example if i have the MPLS link is 30mb/s and have 30 users in the site , i can tell no need for DC ...

Regards 

Hello,

I'm having trouble demoting a Windows 2008 R2 Server from out domain. When I try to run the DCPROMO process it fails with the error of:

Active Directory Domain Services could not transfer the remaining data in directory partition DC=DomainDnsZones,DC=<domain>,DC=<domain>,DC=com to Active Directory Domain Controller <name of a DC>

I've troubleshot the issue to this one mentioned in the following article:

http://support.microsoft.com/kb/2694933

which in turn, leads to this one:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;949257

If I check the property of the CN=Infrastructure,DC=DomaiNDnsZones,DC=<domain>,DC=<domain>,DC=com in adsiedit then the fSMORoleOwner attribute does incorrectly refer to an old DC that was decommissioned a long time ago:

CN=NTDS Settings\0ADEL:95576719-0df5-4159-af0e-be380c6d0b43,CN=<name of old DC>\0ADEL:e60abc98-4ca9-4c52-ae50-b2c0cc2495c3,CN=Servers,CN=>name of site>,CN=Sites,CN=Configuration,DC=<domain>,DC=com

My issue is, if I try to either manually correct the fSMORoleOwner attribute or run the fixfsmo.vbs script I get an error.

If I try to amend the property, adsiedit reports:

Operation failed. Error code 0x20ae. The role owner attribute could not be read. 000020AE: SvcErr: DSID-03152965, problem 5003 (WILL_NOT_PERFORM), data 0

If I try to run the fixfsmo.vbs script it says:

(20, 5) (null): Name translation: Could not find the name or insufficient right to see name.

I'm also confused about where to try to run this. The DC which will not demote is in our Child Domain. The parent domain does not have this issue and I demoted a DC in the parent domain without any problems on the same day.

If anyone can help with this problem I would be most grateful.

Good Afternoon. 

Hope your well. Wanted to ask a quick question in regards to filtering in Azure AD Connect. We have an account domain, which contains active directory accounts, and a resource domain, which contains Exchange mailboxes (linked). When setting up AD Connect we were able to add the two domains, and set the sync to identify users based on ObjectSID and MSExchangeMasterAccountSID. 

Everything has appeared to work OK, however, currently if a mailbox exists in the resource domain, with the corresponding account having been moved to an OU that is not syncing, an account gets created in Azure for that object. Ideally we would want to say that if there is no link between accounts on the resource domain and account domain, please ignore. 

Any assistance would be appreciated. 

Hi, Just want to ask if it is safe to shutdown/reboot all AD servers at the same time in production and DR environment? The Root  domain will be retained, all the child domain will be shutdown. Or atleast 1 child DC should be powered up?

We are trying to troubleshoot an issue for a client environment that was set up by the previous IT company. We have been troubleshooting this issue for a week and have had a ticket with Microsoft open for six days with no resolution.  I could write a book about all the things we have tried over the last week.  

To boil it down, on our DC01 domain controller, port 135 is blocked somehow.  Our DC02 can't communicate with DC01 and we can't turn up new domain controllers.  If you run PortQuery tool on DC01, it can communicate on port 135 on 127.0.0.1, but it can't communicate if you use the network ip address 192.168.10.23.  Obviously, none of the other servers on the network can communicate with DC01 on port 135.  Same results using telnet.  It can telnet to itsself on 127.0.0.1, but not to itsself on 192.168.10.23.  

It must be something super obscure.  We have tried all of the normal reasons you see on Google and we have been working with Microsoft Support for six days.  I am just hoping that someone has seen this before.

Hi,

I am trying to migrate AD LDS from 2008 R2 server to 2016 server. When i tried to install ADLDS on 2016 server from 2008 R2 server I am receiving below error

Active Directory Lightweight Directory Services could not enable the optional features that are enabled on the remote AD LDS instance.
Error code: 0x800720ee
The directory service encountered an internal failure.

Can somebody know what could be the issue?Are there any guidelines for 2008 to 2016 migration for ADLDS

Thanks,Venky

Hi,

Getting ready to decommission our legacy domain controllers.  In order to assist in identifying any hard-coded applications I have set the DnsAvoidRegisterRecords for the following service records

Ldap
Gc
DcByGuid
Kdc
Dc
Rfc1510Kdc
GenericGc
Rfc1510UdpKdc
Rfc1510Kpwd
Rfc1510UdpKpwd
LdapAtSite
Pdc
GcAtSite
KdcAtSite
DcAtSite
Rfc1510KdcAtSite
GenericGc
GenericGcAtSite

I have waited about a week to let client cache expire and when I run a Wireshark for LDAP or I run the DC data collector set I am still seeing workstations along with servers hitting the domain controllers.  I also found when I run nltest /dclist:domain.com it returns the domain controllers that are supposed to be "hidden".  Same with Get-ADDomaincontroller -ForceDiscover (which is equivilent)

I was under the assumption from my research that these would no longer be returned to the DC locator or DNS DC locator services, but I am still seeing them.  This is skewing results as I still see several (100) workstations hitting these domain controllers along with servers.

Post applying the policy I restarted the netlogon service and ensured that the records were de-registered.  The servers were also rebooted about a week ago.  I used powershell to find SRV records for one of the domain controllers and it came back with thousands?!?!  We do have several hundred sites, so that does make some sense.  

I am simply trying to see what could be hard-coded, but at this point despite effort I dont understand why these domain controllers still seem discoverable.  We have a single forest with 2 child domains and these domain controllers are in one of the child domains

Any help would be appreciated

Thanks

&amp;quot;I live and die by the command line&amp;quot; -JL 2010 &copy; &#169;

I seem to be having a problem with my dns, it might not be my only problem, but it is the one i am currently trying to tackle. Sometimes DNS works to connect to computers, some times it doesn't. I ran a DCDiag /test:dns and got the below result. It tells me that all my srv records are missing. When i go into my dns, all my records appear to be in place. DNS in the adapter settings does point to itself.

Other symptoms of my overall problem include:

• Error when trying to connect a second DC server (Active Directoy Domain Services could not replicate the directory partition CN=Schema,CN=Configuration,DC=faicorp,DC=local from the remote Active Directory Domain Controller DC1.)

• can only connect a computer to the domain while it is running dhcp(cannot be staticed.)

dcdaig /test:dns; ipconfig /all; netdom query dc; detdom query fsmo; are all below.

Any help or guidance would be vastly appreciated. I've been bashing my head against this for a while now.

Thanks.

>dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC1
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DC1
      Starting test: Connectivity
         ......................... DC1 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC1

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... DC1 passed test DNS

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : faicorp

   Running enterprise tests on : faicorp.local
      Starting test: DNS
         Test results for domain controllers:

            DC: DC1
            Domain: faicorp.local


               TEST: Basic (Basc)
                  Warning: The A record for this DC was not found
                  No host records (A or AAAA) were found for this DC

               TEST: Dynamic update (Dyn)
                  Warning: Failed to add the test record dcdiag-test-record in zone faicorp.local

               TEST: Records registration (RReg)
                  Network Adapter [00000003] Microsoft Hyper-V Network Adapter:
                     Warning:
                     Missing A record at DNS server 172.16.156.11:
                     DC1

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _ldap._tcp.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _ldap._tcp.eac4fbfb-f712-4e84-9da7-adfe7e839361.domains._msdcs.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _kerberos._tcp.dc._msdcs.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _ldap._tcp.dc._msdcs.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _kerberos._tcp.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _kerberos._udp.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _kpasswd._tcp.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _ldap._tcp.Default-First-Site-Name._sites.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _kerberos._tcp.Default-First-Site-Name._sites.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _ldap._tcp.gc._msdcs.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _gc._tcp.Default-First-Site-Name._sites.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _ldap._tcp.pdc._msdcs.faicorp.local

                     Warning:
                     Missing A record at DNS server 172.16.156.11:
                     DC1

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _ldap._tcp.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _ldap._tcp.eac4fbfb-f712-4e84-9da7-adfe7e839361.domains._msdcs.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _kerberos._tcp.dc._msdcs.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _ldap._tcp.dc._msdcs.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _kerberos._tcp.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _kerberos._udp.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _kpasswd._tcp.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _ldap._tcp.Default-First-Site-Name._sites.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _kerberos._tcp.Default-First-Site-Name._sites.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _ldap._tcp.gc._msdcs.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _gc._tcp.Default-First-Site-Name._sites.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.faicorp.local

                     Warning:
                     Missing SRV record at DNS server 172.16.156.11:
                     _ldap._tcp.pdc._msdcs.faicorp.local

               Error: Record registrations cannot be found for all the network adapters

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: faicorp.local
               DC1                          PASS FAIL PASS PASS WARN FAIL n/a

         ......................... faicorp.local failed test DNS

Hello,

I am facing a weired problem while adding a Server to our domain.

I get following following error message:

"The join operation was not successful. The could be because an existing computer account having the name xxxx was previously created using a different set of credentials. Use a different computer name or contact your administrator to remove any stale conflicting raccount. The error was: Access is denied."

Environment: Windows Server 2008 Ent 64 bit SP2.

Though I am not the Domain Admin, I do have Account Operator rights across the forest/domain.

I tried following things but in vain:

Disabled firewall and tried to join server to the domain, no luck.

Changed the host name of the server, took a reboot and tried to join the machine to the domain however, I still get same error.

I could see a machine account created in AD with the host name specified by me ( I am damn sure, it wasn't there before), deleted the account from domain and made sure that any dns records existed in all our GCs are removed. When I repeated the procedure, account got created in AD but I got aforementioned error.

Later on, I recreated a machine account in AD and gave rights to my domain account to join on to the domain and tried adding the machine to the domain however, issue still persists.

This Server is a VM and it was deployed from a VM template. Initially I thought it could be due to SID duplication, I ran sysprep on the problematic server and rebooted but I still get same error message.

Finally, I requested my domain admin to join this server to the domain however, no luck at all, we are back at square one !

The only option I have is to rebuild the server but I don't wish to do that at present.

Any inputs on this issue would be really appreciated.

Thanks