Hi,

Is there any way to check my DNS server is integrated with Active Directory? I hope all the DC servers are running with DNS service is integared with Active Directory. Is that correct or wrong?

my domain has an spn for domain\AppAccount for mssqlsvc/MySqlServer.domain.com. appaccount is running the sql service on MySqlServer.

assume unconstrained delegation has been working with this setup for years.

when I go into the delegation tab of appaccount to enable constrained delegation, and click add, users or computers, and search for MySqlServer, it lists services for all sorts of things, like host and www and http, but not for MSSQLSvc.

shouldn't there be an mssqlsvc? do I also have to register an SPN for the machine MySqlServer itself, even though the SQL service is running as Appaccount ?  will those not conflict?

Hello I'm sort of new to DFS replication.

I'd like to get our DFS jobs running again.  One thing I'm worried about is replicating in the wrong direction and having our user community lose production files.  I'm also seeing this error event in the logs.  

Can you walk me through a safe process?  

I have enabled the RD web and console session in Active Directory and tried to reset user password using web session, however i am getting the following error
Your new password does not meet the length, complexity, or history requirements of your domain. Try choosing a different new password.
I made changes in the password policy and updated the group policy but the still the issue is persisting.  When I tried to change the password after disabling/not defined state of the password policy the issue occurring again.
When we set the user must change the password during first log on, we could change the password without any hurdles.

When we execute the command to join our Linux Machine (comp1) to the Windows AD server from comp1, we get the following error ->

Failed to join Domain: Failed to set Machine SPN:Operations Error

Do you have sufficient permissions to create Machine account.

The user we are using to do the join is a Domain Admin account.

What can be a possible cause of this issue ? 

Can this be related to permissions that the user account has on AD server ?

What permissions are needed for the user account being used ? 

Any suggestions to solve this?

We have a linux machine comp1 which is connected to Microsoft Windows Active Directory i.e we have a machine account created on the AD server. Along with that, we have domain user accounts created on AD server. Hence when those users login to comp1, they are authenticated using their AD accounts.

As per my limited knowledge, the machine (comp1) account secret/password keeps changing periodically and this change is initiated by the client (comp1). Once this the secret/password for comp1 account is updated on the AD server, then it is updated locally on comp1. For Linux, there is a process which handles this in the background.

In our customer's environment, I observed in the logs that, the secret/password change was done on 11/21 after which we started seeing PreAuthentication failures.

My question is that, is it possible that the secret/password change for Machine Account which it initiated fail to get updated on AD server resulting into a miss match ? Is there any similar known issue for any windows AD server versions i.e Machine Account password update fails?

My organization has purchased and installed device cals over time as they were needed, for Win Server 2012.  Now there are multiple lists in the RD licensing manager with 10, 10, 5, and 10 licenses.  It is hard to manage if we are looking for a particular device.  How can we combine these into one list?

We are migrating AD account of organization from Windows server 2003 to 2016 along with Outlook Email Exchange. Post that we have to perform UAT, OAT, Load Testing. Can anyone help us to collect the testing points, what should we test as part of UAT, OAT and post few bullet points about the generic test cases of AD migration. thanks. 

Trying to join a new server to an existing AD across the wan and getting the error shown below. 

The HQ has 2 DCs, remote site has none. 

The computer at the remote site has DCs from the HQ as DNS. Windows firewall is disabled on all servers and there is no restriction on the traffic in either direction. 

After I click OK on the error and reboot, I can see the server from the remote location in AD, however there is no DNS recoord for it created in DNS. 

If I try to log in to the domain I just joined from the remote location I am getting an error "The trust relationship between this computer and the primary domain failed"

The trust relationship between this workstation and the primary domain failed

NetSetup log is shown below

04/04/2019 18:05:24:505 lpDomain: ourdomain.local
04/04/2019 18:05:24:505 lpHostName: new-server
04/04/2019 18:05:24:505 lpMachineAccountOU: (NULL)
04/04/2019 18:05:24:505 lpDcName: domainatHQ.ourdomain.local
04/04/2019 18:05:24:505 lpMachinePassword: (null)
04/04/2019 18:05:24:505 lpAccount: domain\superuser
04/04/2019 18:05:24:505 lpPassword: (non-null)
04/04/2019 18:05:24:505 dwJoinOptions: 0x27
04/04/2019 18:05:24:505 dwOptions: 0x40000003
04/04/2019 18:05:24:520 NetpLdapBind: Verified minimum encryption strength on domainatHQ.ourdomain.local: 0x0
04/04/2019 18:05:24:520 NetpLdapGetLsaPrimaryDomain: reading domain data
04/04/2019 18:05:24:520 NetpGetNCData: Reading NC data
04/04/2019 18:05:24:536 NetpLdapGetLsaPrimaryDomain: result of retrieving domain data: 0x0
04/04/2019 18:05:24:536 NetpCheckForDomainSIDCollision: returning 0x0(0).
04/04/2019 18:05:45:567 NetpGetComputerObjectDn: Unable to bind to DS on '\\domainatHQ.ourdomain.local': 0x6ba
04/04/2019 18:05:45:567 NetpCreateComputerObjectInDs: NetpGetComputerObjectDn failed: 0x6ba
04/04/2019 18:05:45:567 NetpProvisionComputerAccount: LDAP creation failed: 0x6ba
04/04/2019 18:05:45:567 NetpProvisionComputerAccount: Retrying downlevel per options
04/04/2019 18:05:45:677 NetpProvisionComputerAccount: retry status of creating account: 0x0
04/04/2019 18:05:45:677 NetpDeleteMachineAccountKey: called for computer 'new-server'
04/04/2019 18:06:06:712 NetpGetComputerObjectDn: Unable to bind to DS on '\\domainatHQ.ourdomain.local': 0x6ba
04/04/2019 18:06:06:712 NetpDeleteMachineAccountKey: NetpGetComputerObjectDn failed for computer 'new-server'. Status: 1722
04/04/2019 18:06:06:712 NetpDeleteMachineAccountKey: returning Status: 1722 
04/04/2019 18:06:06:712 NetpProvisionComputerAccount: Attempt at deleting machine auth key failed: 0x6ba.
04/04/2019 18:06:06:712 ldap_unbind status: 0x0
04/04/2019 18:06:06:712 NetpJoinCreatePackagePart: status:0x0.
04/04/2019 18:06:06:728 NetpJoinDomainOnDs: Setting netlogon cache.
04/04/2019 18:06:06:743 NetpJoinDomainOnDs: status of setting netlogon cache: 0x0
04/04/2019 18:06:06:743 NetpJoinDomainOnDs: Function exits with status of: 0x0
04/04/2019 18:06:06:743 NetpJoinDomainOnDs: status of disconnecting from '\\domainatHQ.ourdomain.local': 0x0
04/04/2019 18:06:06:759 NetpJoinDomain: DsrIsDeviceJoined returned false
04/04/2019 18:06:06:868 NetpJoinDomain: NetpCompleteOfflineDomainJoin SUCCESS: Requested a reboot :0x0
04/04/2019 18:06:06:868 NetpDoDomainJoin: status: 0x0
tting backup/restore privileges.
04/04/2019 18:06:06:712 NetpAddPartCollectionToRegistry.
04/04/2019 18:06:06:712 NetpProvGetTargetProductVersion: Target product version: 10.0.14393.0
04/04/2019 18:06:06:712 NetpAddPartCollectionToRegistry: delete OP state key status: 0x2.
04/04/2019 18:06:06:728 NetpConvertBlobToJoinState: Translating provisioning data to internal format
04/04/2019 18:06:06:728 NetpConvertBlobToJoinState: Selecting version 1
04/04/2019 18:06:06:728 NetpConvertBlobToJoinState: exiting: 0x0
04/04/2019 18:06:06:728 NetpJoin2RequestPackagePartInstall: Successfully persisted all fields
04/04/2019 18:06:06:728 NetpAddPartCollectionToRegistry: Successfully initiated provisioning package installation: 2/2 part(s) installed.
04/04/2019 18:06:06:728 NetpAddPartCollectionToRegistry: status: 0x0.
04/04/2019 18:06:06:728 NetpOpenRegistry: status: 0x0.
04/04/2019 18:06:06:728 NetpSetPrivileges: status: 0x0.
04/04/2019 18:06:06:728 NetpRequestProvisioningPackageInstall: status: 0x0.
04/04/2019 18:06:06:759 -----------------------------------------------------------------
04/04/2019 18:06:06:759 NetpProvContinueProvisioningPackageInstall:
04/04/2019 18:06:06:759 Context: 0
04/04/2019 18:06:06:759 NetpProvGetWindowsImageState: IMAGE_STATE_COMPLETE.
04/04/2019 18:06:06:759 NetpCreatePartListFromRegistry: status: 0x0.
04/04/2019 18:06:06:759 NetpCompleteOfflineDomainJoin
04/04/2019 18:06:06:759 fBootTimeCaller: FALSE
04/04/2019 18:06:06:759 fSetLocalGroups: TRUE
04/04/2019 18:06:06:759 NetpJoinDomainLocal: NetpHandleJoinedStateInfo returned: 0x0
04/04/2019 18:06:06:837 NetpJoinDomainLocal: NetpManageMachineSecret returned: 0x0.
04/04/2019 18:06:06:837 Calling NetpQueryService to get Netlogon service state.
04/04/2019 18:06:06:837 NetpJoinDomainLocal: NetpQueryService returned: 0x0.
04/04/2019 18:06:06:837 NetpJoinDomainLocal: status of setting LSA pri. domain: 0x0
04/04/2019 18:06:06:837 NetpManageLocalGroupsForJoin: Adding groups for new domain, removing groups from old domain, if any.
04/04/2019 18:06:06:853 NetpManageLocalGroupsForJoin: status of modifying groups related to domain 'DOMAIN' to local groups: 0x0
04/04/2019 18:06:06:853 NetpManageLocalGroupsForJoin: INFO: No old domain groups to process.
04/04/2019 18:06:06:853 NetpJoinDomainLocal: Status of managing local groups: 0x0
04/04/2019 18:06:06:853 NetpJoinDomainLocal: status of setting ComputerNamePhysicalDnsDomain to 'ourdomain.local': 0x0
04/04/2019 18:06:06:853 NetpJoinDomainLocal: Controlling services and setting service start type.
04/04/2019 18:06:06:853 NetpJoinDomainLocal: Updating W32TimeConfig
04/04/2019 18:06:06:868 NetpCompleteOfflineDomainJoin: status: 0x0
04/04/2019 18:06:06:868 NetpJoinProvider2OLContinuePackagePartInstall: ignoring Context=0 (work finished already).
04/04/2019 18:06:06:868 NetpProvContinueProvisioningPackageInstall: Provisioning package installation completed successfully.
04/04/2019 18:06:06:868 NetpProvContinueProvisioningPackageInstall: delete OP state key status: 0x0.
04/04/2019 18:06:06:868 NetpProvContinueProvisioningPackageInstall: status: 0xa99.
04/04/2019 18:06:20:688 -----------------------------------------------------------------
04/04/2019 18:06:20:688 NetpChangeMachineName: from 'new-server' to 'new-server' using 'domain\superuser' [0x1000]
04/04/2019 18:06:20:688 NetpChangeMachineName: using DnsHostnameToComputerNameEx
04/04/2019 18:06:20:688 NetpChangeMachineName: generated netbios name: 'new-server'
04/04/2019 18:06:20:688 NetpDsGetDcName: trying to find DC in domain 'ourdomain.local', flags: 0x1010
04/04/2019 18:06:20:688 NetpDsGetDcName: found DC '\\domainatHQ.ourdomain.local' in the specified domain
04/04/2019 18:06:20:688 NetpGetDnsHostName: Read NV Domain: ourdomain.local
04/04/2019 18:07:26:054 NetpGetComputerObjectDn: Unable to bind to DS on '\\domainatHQ.ourdomain.local': 0x6ba
04/04/2019 18:07:26:054 NetpSetDnsHostNameAndSpn: NetpGetComputerObjectDn failed: 0x6ba
04/04/2019 18:07:26:054 ldap_unbind status: 0x0
04/04/2019 18:07:26:054 NetpChangeMachineName: status of setting DnsHostName and SPN: 0x6ba

Hi,

I have a windows server 2016 that ADDS role was installed on that. And I have an additional dc with windows server 2008, too. I'm going to install a windows server 2016 as a second additional domain controller but I got the below error:

The server that I want to promote it to the additional domain controller has been joined to the domain and can ping the domain controller. Any help would be appreciated.

Thanks

Dear Sir,

        I am Vimal Menon from Saudi Arabia. Right now our Company division in qatar is facing a issue. The issue is one of the IT employee working in our qatar division was terminitaed due to cheating case, and right now he is not there in qatar anymore. But the think is, right now he is misusing the the company email and also his company email ID. We can't do anything, because of all the access of active directory is with that guy, including username and password. Our company don't need that domain anymore. We need to cancel or distroy that domain, so that we can make a new domain and company email id. Can you please help me to solve this problem.

Most of my users upgraded to 1809 in the last week or two and now they are having issues with network resources. The symptom is an active directory user (Scanner) can no longer access their shared folder (\\machinename\Scans), even though that user has full read/write permissions. When I sit at the client computer and bring up properties for the folder, Security correctly shows the users with correct permissions. If I try to add a user to the list however, under Locations I am only shown the local computer, not the AD.  My guess is when the Scanner user attempts to connect to write a file the client machine looks for them in the local user store instead of the AD store and fails when it can't find them. Am I looking in the right direction, or am I totally off base?

I ran into the issue presenting in a different way as well today. when I'm logged into the computer and do a software install, registry edits fail. This is because you need Admin rights to write to the registry and the user credentials are domain credentials. I now have a dozen or so machines with the issue, all upgraded to 1809.

used windows/system32/utilman.exe and cmd.exe to reset the forgot password successfully.

The AD/DNS is broken as a result. Please help me with steps to restore the functionality

Hi All,

I am hoping someone is able to help.

We are undergoing a Domain migration and I am looking for a command that will tell me how many accounts have been pre-staged with SIDHistory on the Target Domain through ADUC.

I have a command which uses a custom search in ADUC which is SIDHistory:sidhistory=* but this does not return any accounts. I know there should be at least a few hundred but how many exactly we are not sure.

Any help would be greatly appreciated.

Regards.

Hi Team,

I want LDAP Query To Check The User Status Enabled or Disabled..

Example If User1 is Enabled Then Show USER1 - Enabled

            If User1 is Disabled Then Show USER1 - Disabled

Please Help Me On this

Regards

Kirti

Hi

I am suddenly getting "ad / sysvol version mismatch" error on few group policies when doing gpresult. I have checked all the GPOs versions in AD and SYSVOL on all 3 DCs and they are correct, Sysvol sync runs fine with no errors, so I just dont know what else to check.

Any idea? 

Thanks

Is there documentation available that how we can setup:

On premise certificate services with Azure dedicated HSM, I am looking for step by step documentation.

I'm working on replacing some legacy Windows Server 2003 R2 and Windows Server 2008 DCs with some new Windows Server 2016 DCs.  Prior to adding or removing the DCs, I'm working to confirm AD health with basic testing.  Repadmin /showrepl and repadmin /replsummary both run fine with no errors.  Also, manual replication tests like simply changing AD user settings replicate fine across my single domain setup consisting of multiple AD sites and subnets.    However, when I run specific DCdiag test for DNS, I'm getting inconsistencies in the tests.  If I run dcdiag /test:DNS /DNSALL /e /v on a newly installed Windows Server 2016 DC, all tests complete fine for Auth Basc Forw Del Dyn RReg and Ext.  But when I run this same test on a Windows Server 2003 R2 or 2008 DC, I get FAIL on Forw and WARN on Basc and RReg.

My question is why does DCdiag return healthy results when running on Server 2016 DCs but failures and warnings on Windows 2003 and 2008 DCs for DNS?  And are Forw and RReg tests critical failures that will likely block the promotion of new DCs?

Here's the results of the tests:

Summary of DNS test results:        

                                           Auth Basc Forw Del  Dyn  RReg Ext

           _________________________________________________________________

           Domain: wellspring.local                                                                                                                                  houdc01                     PASS WARN FAIL PASS PASS WARN PASS

              atldc1                      PASS WARN PASS PASS PASS WARN PASS

              atldc01                     PASS WARN PASS PASS PASS WARN PASS

              arldc02                     PASS WARN PASS PASS PASS WARN PASS

        ......................... wellspring.local failed test DNS

Summary of DNS test results:        

                                           Auth Basc Forw Del  Dyn  RReg Ext

           _________________________________________________________________

           Domain: wellspring.local                                                                                                                            houdc01                     PASS PASS PASS PASS PASS PASS PASS

              atldc1                      PASS PASS PASS PASS PASS PASS PASS

              atldc01                     PASS PASS PASS PASS PASS PASS PASS

              arldc02                      PASS PASS PASS PASS PASS PASS PASS

        ......................... wellspring.local passed test DNS

This is becoming an issue ... I took this new post and there are tons of replication issue with AD, DNS etc and I am told there were few DCs and exchange servers that were not gracefully removed so lingering objs are there as the metadata is not cleaned up etc.

 We are a single domain/forest with about 8 DCs in remote sites a ... and all the DCs got a mind of their own in terms of replication.  Sometimes I have to force replication to get things moving across to other DCs

I see the following on the server that hold all the roles.   I want to start here. 

Log Name:      Directory Service

Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          4/5/2019 2:35:48 AM
Event ID:      1864
Task Category: Replication
Level:         Error
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:     fqdn of the DC
Description:
This is the replication status for the following directory partition on this directory server. 

Directory partition:
DC=DomainDnsZones,DC=ourdomain,DC=local 

This directory server has not recently received replication information from a number of directory servers.  The count of directory servers is shown, divided into the following intervals. 

More than 24 hours:
2 
More than a week:
2 
More than one month:
0 
More than two months:
0 
More than a tombstone lifetime:
0 
Tombstone lifetime (days):
180 

Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled. 

Running repadmin /replsum shows zero fails

Please assist.... thank you.