Hello,

I have installed Windows Server 2012 R2 on a temporary server because we are retiring old servers and have to have a Temporary Domain Controller. The server has an SSD installed. When installed AD DS on the server, I can not install because an error appears:"Verification of directory paths failed. The path does not point to a valid hard disk." I know many companies can run Windows Server on an SSD but I do not have a hard disk drive installed on the server. I have even tried plugging in an external HDD and pointing to it to store the directory files, but it will not accept that. Any ideas on why the server is being so stubborn? 

Thanks,

Connor

I need some help here. I was experiencing domain issues and I found a DC that had been migrated from one VM host to another was corrupted in the process. I removed the DC from the domain and cleaned up the metadata. After this I ran the AD ran the AD Replication Status tool and all seemed OK. Later that day I saw that I was getting "The target principal name is incorrect against DC1 (which hold the FSMO role). Note: I only have two DC's DC1 which hold the FSMO and DC2. On DC1 I performed the following steps:

1. net stop kdc and set to disabled.

2. rebooted DC1.

3. After logging back in I ran the netdom resetpwd to reset the system account.

Now I am getting access denied errors (see dcdiag output). 

                                                   

Begin

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = DC2012BDC

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\DC2012BDC

      Starting test: Connectivity

         ......................... DC2012BDC passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\DC2012BDC

      Starting test: Advertising

         ......................... DC2012BDC passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems. 
         ......................... DC2012BDC passed test FrsEvent

      Starting test: DFSREvent

         ......................... DC2012BDC passed test DFSREvent

      Starting test: SysVolCheck

         ......................... DC2012BDC passed test SysVolCheck

      Starting test: KccEvent

         ......................... DC2012BDC passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... DC2012BDC passed test

         KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... DC2012BDC passed test MachineAccount

      Starting test: NCSecDesc

         ......................... DC2012BDC passed test NCSecDesc

      Starting test: NetLogons

         ......................... DC2012BDC passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... DC2012BDC passed test ObjectsReplicated

      Starting test: Replications

         [Replications Check,DC2012BDC] A recent replication attempt

         failed:

            From DC2012PDC to DC2012BDC

            Naming Context: DC=ForestDnsZones,DC=DC2010,DC=com

            The replication generated an error (1256):

            The remote system is not available. For information about network troubleshooting, see Windows Help.

            

            The failure occurred at 2019-03-17 08:45:06.

            The last success occurred at 2019-03-17 07:45:06.

            1 failures have occurred since the last success.

         [Replications Check,DC2012BDC] A recent replication attempt

         failed:

            From DC2012PDC to DC2012BDC

            Naming Context: DC=DomainDnsZones,DC=DC2010,DC=com

            The replication generated an error (1256):

            The remote system is not available. For information about network troubleshooting, see Windows Help.

            

            The failure occurred at 2019-03-17 08:45:06.

            The last success occurred at 2019-03-17 07:45:06.

            1 failures have occurred since the last success.

         [Replications Check,DC2012BDC] A recent replication attempt

         failed:

            From DC2012PDC to DC2012BDC

            Naming Context: CN=Schema,CN=Configuration,DC=DC2010,DC=com

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2019-03-17 08:45:06.

            The last success occurred at 2019-03-17 07:45:06.

            1 failures have occurred since the last success.

         [Replications Check,DC2012BDC] A recent replication attempt

         failed:

            From DC2012PDC to DC2012BDC

            Naming Context: CN=Configuration,DC=DC2010,DC=com

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2019-03-17 08:45:06.

            The last success occurred at 2019-03-17 07:45:06.

            1 failures have occurred since the last success.

         [Replications Check,DC2012BDC] A recent replication attempt

         failed:

            From DC2012PDC to DC2012BDC

            Naming Context: DC=DC2010,DC=com

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2019-03-17 08:45:06.

            The last success occurred at 2019-03-17 07:45:06.

            1 failures have occurred since the last success.

         ......................... DC2012BDC failed test Replications

      Starting test: RidManager

         ......................... DC2012BDC passed test RidManager

      Starting test: Services

         ......................... DC2012BDC passed test Services

      Starting test: SystemLog

         An error event occurred.  EventID: 0x40000004

            Time Generated: 03/17/2019   08:17:02

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC2012bdc$. The target name used was ldap/DC2012BDC.DC2010.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DC2010.COM) is different from the client domain (DC2010.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x000003EE

            Time Generated: 03/17/2019   08:18:48

            Event String:

            The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

         An error event occurred.  EventID: 0x000003EE

            Time Generated: 03/17/2019   08:23:49

            Event String:

            The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

         An error event occurred.  EventID: 0x000003EE

            Time Generated: 03/17/2019   08:28:49

            Event String:

            The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

         An error event occurred.  EventID: 0x000003EE

            Time Generated: 03/17/2019   08:33:50

            Event String:

            The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 03/17/2019   08:36:48

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC2012pdc$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/b5566f4c-1272-46c8-ac5f-4a08ee572eac/DC2010.com@DC2010.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DC2010.COM) is different from the client domain (DC2010.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x000003EE

            Time Generated: 03/17/2019   08:38:51

            Event String:

            The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 03/17/2019   08:43:29

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC2012pdc$. The target name used was cifs/DC2012PDC.DC2010.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DC2010.COM) is different from the client domain (DC2010.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x000003EE

            Time Generated: 03/17/2019   08:43:52

            Event String:

            The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

         An error event occurred.  EventID: 0x000003EE

            Time Generated: 03/17/2019   08:48:53

            Event String:

            The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 03/17/2019   08:53:35

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC2012pdc$. The target name used was ldap/DC2012PDC.DC2010.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DC2010.COM) is different from the client domain (DC2010.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 03/17/2019   08:53:53

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC2012bdc$. The target name used was LDAP/DC2012BDC.DC2010.com/DC2010.com@DC2010.COM. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DC2010.COM) is different from the client domain (DC2010.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x000003EE

            Time Generated: 03/17/2019   08:53:54

            Event String:

            The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 03/17/2019   08:58:54

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC2012bdc$. The target name used was ldap/DC2012BDC.DC2010.com/DC2010.com@DC2010.COM. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DC2010.COM) is different from the client domain (DC2010.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x000003EE

            Time Generated: 03/17/2019   08:58:55

            Event String:

            The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

         An error event occurred.  EventID: 0x000003EE

            Time Generated: 03/17/2019   09:03:55

            Event String:

            The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 03/17/2019   09:06:50

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC2012bdc$. The target name used was LDAP/DC2012BDC. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DC2010.COM) is different from the client domain (DC2010.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x000003EE

            Time Generated: 03/17/2019   09:08:56

            Event String:

            The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

         An error event occurred.  EventID: 0x000003EE

            Time Generated: 03/17/2019   09:10:12

            Event String:

            The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 03/17/2019   09:13:53

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC2012bdc$. The target name used was cifs/DC2012BDC.DC2010.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DC2010.COM) is different from the client domain (DC2010.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         ......................... DC2012BDC failed test SystemLog

      Starting test: VerifyReferences

         ......................... DC2012BDC passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : DC2010

      Starting test: CheckSDRefDom

         ......................... DC2010 passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DC2010 passed test CrossRefValidation

   
   Running enterprise tests on : DC2010.com

      Starting test: LocatorCheck

         ......................... DC2010.com passed test LocatorCheck

      Starting test: Intersite

         ......................... DC2010.com passed test Intersite

END

Please help, I am at my wits end.

We have two different AD DS in our company. First for the Domain client user login(abc.com) and second for theExchange mail service(xyz.com). We currently have approximately 500 users in our company. We have created users in both the domain for their specific purpose. Now we want to remove first domain(abc.com) from our company permanently and use a single domain(xyz.com) We have exchange mail user in our second domain already created.

Now can I use same user created in xyz.com for mail services and domain user login also? or Do I need to create all the users for client login again?

If no then, do it effect in mail service after using the same user for logging on to the client computer?

What about the groups for assigning security since I have created only distribution groups for the mail services in the second domain(xyz.com)?

Can you please help me?

Thank You

I am facing a issue in Group Policy.

I have five sites and only on two sites group policy is successfully applied while on three sites i am facing issue.

Please see below screen shots of affected sites.

Site 02

Site 03 

And the site in which polices is successfully applied.

hello everyone,

I installed active directory everythink was ok but after two weeks ago my server was attacked from type ddos by port 389 udp, and I searched about how I  can forced active directory use 636 tcp / udp becuse udp protocol is not safe and it does not check the destination but I found this thread : How Can I change default port of active directory in windows 2008

so, anyone have solution for my issue

THANKS

Hi All,

We are getting this error on one of the DC The trust relationship between this workstation and the primary domain failed.

Since last few days we were having AD replication issue with that domain controller.

Is there any way to login to that DC?

Will this situation impact any client in that site?

This site has only one domain controller and was supposed to replicate only with PDC which was not happening since past few days.

I suspect this will happen with client machines also.

Thanks,

Hi All,

I run an AD replication Tool once a week as part of our maintenance process. There have not been any problems highlighted by this tool during replication, however, one of the server seems to have an issue on it. The error we are getting on the File Replication log is "The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR" however, as I say when I run the AD replication tool it does not detect any issues.

The issue has now bee rectified but the question remains why does the tool not pick up these kind of issues, and why does the Tool report back the replication between this server and another AD server is ok?

Any information would be greatly appreciated.

Regards.

Hello all, I need some assistance with authentication.

I just recently established and validated a Trust to another Domain. For some reason my domain (ABC ) users cannot authenticate to XYZ domain. We get hit with bad user name or password BUT XYZ can authenticate to pc's at ABC!

Event viewer shows successful - event ID 4672 and 4624, so I'm at a loss! Can someone please assist on what could be happening?

Getting a lot of 1311 KCC problems in event viewer on a 2008 R2 domain controller we recently put in place (planning to upgrade whole AD to 2016 but project not yet approved).

It's happening about every 15 minutes for the following partitions:
CN=Configuration,DC=(company),DC=biz

DC=Alpha,DC=(company),DC=biz
(Alpha is a now-retired subdomain/child domain whose DC no longer exists

DC=int,DC=(company),dc=biz
(Int is a similar case to Alpha, though its DC is still up and running)

And the output from the usual commands:
DCDIAG output:
https://drive.google.com/open?id=1-vl_3S8PUL3E0S_nh-Dt_urX5_NdYH2m

REPADMIN /REPLSUM output:
https://drive.google.com/open?id=10J06XVanNIKQ714tRr9yVojrT40KP2Fg

Can someone give me a hand with getting this sorted out?  The "ORD4" site is going away as we migrate out of our colo datacenter so I have to make sure the ORD1, AUS and AWS sites will all continue to replicate independent of ORD4. 

Thank you!

Hi

I am suddenly getting "ad / sysvol version mismatch" error on few group policies when doing gpresult. I have checked all the GPOs versions in AD and SYSVOL on all 3 DCs and they are correct, Sysvol sync runs fine with no errors, so I just dont know what else to check.

Any idea? 

Thanks

I have an account that keeps getting locked from a web server according to domain controller. But cant find what triggers the lockout from the web server. User have cleared cache cred pointing to the IIS site.

An account failed to log on.

Subject:
    Security ID:        NETWORK SERVICE
    Account Name:        WEBSERVERNAME$
    Account Domain:        DOMAINNAME
    Logon ID:        0x3e4

Logon Type:            4

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:        *****ActualUsername***
    Account Domain:        DOMAINNAME

Failure Information:
    Failure Reason:        Unknown user name or bad password.
    Status:            0xc000006d
    Sub Status:        0xc000006a

Process Information:
    Caller Process ID:    0x328c
    Caller Process Name:    C:\Windows\SysWOW64\inetsrv\w3wp.exe

Network Information:
    Workstation Name:    WEBSERVERNAME
    Source Network Address:    -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:        Advapi  
    Authentication Package:    Negotiate
    Transited Services:    -
    Package Name (NTLM only):    -
    Key Length:        0

An account failed to log on.

Subject:
    Security ID:        NETWORK SERVICE
    Account Name:        WEBSERVERNAME$
    Account Domain:        domainname
    Logon ID:        0x3e4

Logon Type:            4

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:        Username
    Account Domain:        Domainname

Failure Information:
    Failure Reason:        Account locked out.
    Status:            0xc0000234
    Sub Status:        0x0

Process Information:
    Caller Process ID:    0x328c
    Caller Process Name:    C:\Windows\SysWOW64\inetsrv\w3wp.exe

Network Information:
    Workstation Name:    WEBSERVERNAME
    Source Network Address:    -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:        Advapi  
    Authentication Package:    Negotiate
    Transited Services:    -
    Package Name (NTLM only):    -
    Key Length:        0

     Hello to all, I'm analysing an AD forest and found a strange behaviour: when I check a user "MemberOf" property it does not show the groups that he is "member of" on another domains (universal or global), but when I access a group in another domain it correctly shows the user as member.

    Here gows a context info. from AD environment:

    1- Multidomain forest, with:

    1.1- 1 Root domain.

    1.2- 6 child domains. All bidirectional trusts are in place among root <--> all 6 childs . All forest DCs are Global Catalogs.

    I found the article http://technet.microsoft.com/en-us/library/cc759007(v=ws.10).aspx , that says: "Special security consideration should be given when specifying permissions on domain data that is also replicated to the global catalog. When a user connects to a global catalog, an impersonation token is created for the user, which is used in subsequent access control decisions on the global catalog. The user's universal, global and domain local group memberships are represented in this token. However, only domain local groups from the domain that the domain controller hosting the global catalog (to which the user has connected) belongs to and of which the user is a member show up in the user's token. Domain local groups in the user's domain (and in other domains) of which the user is a member do not show up in the access token."

   I connected to a user domain DC using Termail Service to check his group membership (not mine) and used a domain admin credential of his domain (that is the root domain). Even this way the result is the same (so it's not permission).

   Questions:

   1- What the previous text from technet "connects to a global catalog" mean (accesing GC by ADUC, Terminal Sevice, etc) ?

   2- As I need to run queries to extract users' group membership and migrate then using ADMT to a terget forest, how can this be accomplished if users' membership from groups in another domains can not be showed (remember that when you access group domains in another domains, the user is showed as member) ?

   Thanks in advance, EEOC.  

   

Hello.

I'm trying to use LDIFDE to export a single computer account to an *.LDF file, then trying ot import that computer account after it's been deleted. At this point it's more academic, but it could morph into something else down the road.

------------

The export cmd I'm using is: 
ldifde -d "OU=Test,DC=Domain,DC=Local" -p subtree -o "uSNCreated,uSNChanged,objectguid,whencreated,whenchanged,objectSid,dSCorePropagationData,accountExpires,pwdLastSet" -j c:\temp -f test9.ldf

-------------

The export always seems to work just fine. But importing them is where I'm getting stuck. Here's my import cmd:
ldifde -i -k -j c:\temp -f test9.ldf

When I run the above cmd, I get the following error:

-------------------------

PS C:\> ldifde -i -k -j c:\temp -f c:\temp\test9.ldf
Connecting to "DC01.domain.local"
Logging in as current user using SSPI
Importing directory from file "c:\temp\test9.ldf"
Loading entries.
Add error on entry starting on line 1: Unwilling To Perform
The server side error is: 0x209a Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM).
The extended server error is:
0000209A: SvcErr: DSID-031A101A, problem 5003 (WILL_NOT_PERFORM), data 0

0 entries modified successfully.
An error has occurred in the program

----------------------------

So, I'm confused on what AD thinks is happening and what attribute the SAM owns and won't let go of. Do I need ot run the import in DSRM mode?

---

::- T.I.A. -::

Question: 
Can a child DC be forcefully removed from the forest domain manually while maintaining authentication services for the child domain?

I have a forest domain, x.com which is hosting (3) child domains, a.x.com, b.x.com, and c.x.com. The c.x.com DC specified in sites and services has not replicated with the primary forest DC in 5 years and is not reachable. However, the DC is still being used to authenticate users for the c.x.com domain on an isolated network. The unreachable DC is causing new DCs for the forest domain to fail promotion of a global catalog server due to the communication issue with unreachable DC.

Can the record for the unreachable DC be removed from sites and services without impacting authentication attempts by the users on the c.x.com domain?

H,

I am trying to do the domain renaming. I am not able to finalize the domain renaming. When i executed the rendom /end i got this error message

Failed to delete rename script on the DN: CN=Partitions,CN=Configuration,DC=WINN
T,DC=com on host winnttest.WINNT.
00002077: SvcErr: DSID-030F0B0E, problem 5003 (WILL_NOT_PERFORM), data 0
: Cannot complete this function. :1003

I have cross verified the steps and i can see the entries in my DNS.....Any thoughts ion this...?

 

Thanks and regards

Apu Pavithran

 

good morning

Current setting

Server1 with Ad DS

Server2 with DirSync

After a power failure disk array of server2 failed.  this server does not have backup so it will be eliminated.  can use the Server1 to install Dirsync or ADConnect to restore sync between AD and O365.  what would be the procedure?

Hi,

I have lingering object issue in one of our domain. there is no replication between domain controllers.

Any Idea please ?

Can I setup a non-transitive trust between root domains within the same forest?

I have 5 domains within a forest. They are not child domains. All root domains.

I want to create a two way trust between:

Domain A and Domain B
Domain A and Domain C
Domain A and Domain D
Domain A and Domain E

I don't want Domains B, C, D or E to have any trusts between them though.

Is that possible?

 

There are a lot of articles on this and I got it all to work using 2 servers.  

I loaded RSAT (just the "AD DS and AD LDS Tools" i.e. MMC) on a standalone server2008R2 with a user login (call it pwdhelpdesk / group "Users").   I created the same user (pwdhelpdesk / Group "Domain Users") on the DC and went through all the "Delegate Control" stuff using this article.  http://social.technet.microsoft.com/Forums/en-US/winserverManagement/thread/3f0dbf8e-636b-45fe-93db-f788d5b976fd/

I then tied the 2 servers together using this article http://technet.microsoft.com/en-us/library/dd759202.aspx

Back on the standalone server log in as "pwdhelpdesk" -> start MMC -> load the ADUC snap-in -> select ""Connect to Domain..." = the current source user "pwdhelpdesk" goes over to the DC as remote user "pwdhelpdesk" with "Delegated Control" for only password reset / unlock account. - PERFECT

NOW TO SET UP MY QUESTION: However - when "pwdhelpdesk" logs directly onto the DC - when attemping to run MMC or ADUC - the User Access Controls deny the ability.  Some articles say make "pwdhelpdesk" a member of Backup Operators, or Server Operators or even disable UAC.  None of these seem any good at all.

THE QUESTION: Can a non-admin (Domain User) be configured precisely / surgically to execute MMC or ADUC on a DC?  Please don't say it is not recommended for users to log in to a DC.  I just want to know if it is possible - so I can be thorough in my "help desk reset password / unlock account" architectural report to management.

BTW: I prefer the 2 server method - The standalone can run TS and multiple user CAL Licenses and act as a sort of Jump Host.

Thank you.

Hello :)

I am trying to obtain a more accurate way of working out the RAM for a domain controller, I know RAM is relatively cheap and I could therefore just add more RAM ant not think about it too much. However I do want to understand certain aspects of the OS to determine the RAM in a more granular fashion.

Question

If I have two sites, where one site has a domain controller with say 300 users connecting to the domain controller (Server 2019), and another site where 6000 users are connecting to the domain controller. It would seem logical on the surface the latter server may require more RAM.

For example does each connection to the domain controller by a client (secure channel so the client can download group policies etc.) require a small amount of RAM? (possible the LSASS.exe require some extra RAM for each incoming connection it has to deal with/maintain)?

Also, once a user has connected to a domain controller, authenticated (TGT, TGS) and download their computer/user groups policies from the DC, does the client connection remain open? e.g. TCP/Secure pipes connection still active and therefore may require memory to maintain the connection (as asked above), or is the connection torn down and re-established when the client needs to go back to the DC to another TGS or to renew the TGT for example ?

Is there perhaps a performance counter in Windows that shows he amount of RAM taken up by each connection to the Server ?

Any help and advise, most welcome

CXMelga