Hi, 

Due to a recent ransomware attack, my ADDS domain server has been compromised recently. So I am recreating a new ADDS server with domain controller and DNS role. On the new server, the domain/forest/netbios name all are same as the old one. Then I created the user with exactly same full name and same password assigned. 

Now, when I try to login to the domain user on another computer, it creates a new user profile instead of going to the existing profile. Example is the previous user profile was like manjurul.NPOLY, but instead of going to the existing profile on the existing desktop machine (I had to rejoin on the new domain by leaving out of domain to workgroup then again joining the new domain, because it was giving a trust relationship failure issue). So a profile was created named manjurul.NPOLY.000 with completely new desktop, new browser profile everything new. 

So what i did was, I used the tool ForensiT ProfWiz tool to merge both the old and new profile, then I get back to the required old profile on Windows 10 desktop. there were no data loss, however I had to sign in again on all the services and all the website on Edge/Chrome sites like gmail, facebook, etc. 

For one to few machine it looks okay, ProfWiz does the tricks, however I have several 100 of machines which I need to bring to new domain server, and recreating or merging profile on each of them looks a tedious tasks. Is there any option to migrate automatically or any option so that a new profile does not get created instead goes directly to the old existing profile? 

Note that, the server is a Windows Server 2008 R2, all users are using Windows 10 pro, and no roaming profile is configured. 

Regards, 

Abdullah

Hi all,

Can anybody tell me what is exact replication time frame when we talk aboutAuthoritative or Non-Authoritative Restore of Active Directory? The key issue here is exact time: "not yet replicated" vs "already replicated" thing. I saw these docs:

Performing an Authoritative Restore of Active Directory Objects

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc779573(v%3dws.10)

Performing a Nonauthoritative Restore of a Domain Controller

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc784922(v=ws.10)

How can I know if it has already replicated if I know the deleted objects have been there for 1h? 2h? 1/2 hour? What's thedefault replication interval?

Can somebody briefly elaborate on  "not yet replicated" vs "already replicated" thing when we talk AD restoration of deleted objects? 

Thanks

Hello,

I have an application which is designed to use directory services for authentication and its network is not controlled by our organization..

I would like to know if I can deploy an ad lds instance which contains only a small part of user accounts allows to use this application and should be synced periodically with the actual active directory database,

I would like to know if it is possible and if there is any online manuals for that,

Thank you

Hi

I am suddenly getting "ad / sysvol version mismatch" error on few group policies when doing gpresult. I have checked all the GPOs versions in AD and SYSVOL on all 3 DCs and they are correct, Sysvol sync runs fine with no errors, so I just dont know what else to check.

Any idea? 

Thanks

Hi all;

If I enforce replicating Active Directory changes by using Sites and Services console (like the figure below), does it include replicating SYSVOL folder contents (if it depends on DFS-R)?

Thanks

Please VOTE as HELPFUL if the post helps you and remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Dear All, 

We did migrate our domain controller from 2012 r2 to 2016, and we did migrate from FRS to DFSR, all sys folders "policies ans scripts"are replicated fine but there is an warning message in event viewer:

5014 (  The DFS Replication service is stopping communication with partner DC3 replication group Domain System Volume due to an error. The service will retry the connection periodically) , Additional Information: Error: 9033 (The request was cancelled by a shutdown) , Additional Information: Error: 9036 (Paused for backup or restore) . 

Our DCs design:

Site1: DC1 - DC2

Site2: DC3 - DC4

DC1 having the warning id 5014, DC3 doesn't have it. I did run health check from DFS management and there is no error. I did backup AD manually "NTDSUTIL", I did check sysvol folder for all policies and scripts and they are updated and i even created a .txt file inside policies folder and replicated with the other DC "from DC1 to DC3". We are not running any backup at this time. Currently DFS management contains all DCs with their sysvol folders only, no other shared folder are created yet. I found the following link to disable TCP off loading but i didn't find that key and im not sure if i have to create a new key:

https://social.technet.microsoft.com/Forums/ie/en-US/01dc55f1-ff54-4c25-aca4-6122f0f654c5/dfs-event-id-5014?forum=winserverDS

Any advice.

Thank you

This is becoming an issue ... I took this new post and there are tons of replication issue with AD, DNS etc and I am told there were few DCs and exchange servers that were not gracefully removed so lingering objs are there as the metadata is not cleaned up etc.

 We are a single domain/forest with about 8 DCs in remote sites a ... and all the DCs got a mind of their own in terms of replication.  Sometimes I have to force replication to get things moving across to other DCs

I see the following on the server that hold all the roles.   I want to start here. 

Log Name:      Directory Service

Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          4/5/2019 2:35:48 AM
Event ID:      1864
Task Category: Replication
Level:         Error
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:     fqdn of the DC
Description:
This is the replication status for the following directory partition on this directory server. 

Directory partition:
DC=DomainDnsZones,DC=ourdomain,DC=local 

This directory server has not recently received replication information from a number of directory servers.  The count of directory servers is shown, divided into the following intervals. 

More than 24 hours:
2 
More than a week:
2 
More than one month:
0 
More than two months:
0 
More than a tombstone lifetime:
0 
Tombstone lifetime (days):
180 

Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled. 

Running repadmin /replsum shows zero fails

Please assist.... thank you.

Hi Team,

My ad replications health checkup is failing .kindly help .

eRROR DETAILS:

C:\Windows\system32>repadmin /replicate DC1  DC2a DC=ForestDnsZones,DC=abc,DC=com
DsReplicaSync() failed with status 1722 (0x6ba):
    The RPC server is unavailable.

2. C:\Windows\system32>repadmin /showrepl * /csv > c:\replsd.csv

LDAP error 81 (Server Down) Win32 Err 58.
LDAP error 81 (Server Down) Win32 Err 58.
LDAP error 81 (Server Down) Win32 Err 58.

DC1DC=DomainDnsZones,DC=abc,DC=comsitesdc2aRPC14 4/8/2019 11:22 4/8/2019 7:521256

3. C:\Windows\system32>repadmin /replsum

DC1 03h:58m:59s 5/40 12 1722 The RPC server is unavailable.

DC2a 03h:58m:56s 5/10   50 1722 The RPC server is unailable.

My observations:

1. I checked  All dc server is UP and running fine ( rpc,netlogon services,adds).
2. Dcdiag /test: advertising is also Passed

Hi Team,

My ad replications health checkup is failing .kindly help .

eRROR DETAILS:

C:\Windows\system32>repadmin /replicate DC1  DC2a DC=ForestDnsZones,DC=abc,DC=com
DsReplicaSync() failed with status 1722 (0x6ba):
    The RPC server is unavailable.

2. C:\Windows\system32>repadmin /showrepl * /csv > c:\replsd.csv

LDAP error 81 (Server Down) Win32 Err 58.
LDAP error 81 (Server Down) Win32 Err 58.
LDAP error 81 (Server Down) Win32 Err 58.

DC1DC=DomainDnsZones,DC=abc,DC=comsitesdc2aRPC14 4/8/2019 11:22 4/8/2019 7:521256
DC1 CN=Configuration,DC=abc,DC=comsites dc2aRPC 15 4/8/2019 11:22 4/8/2019 7:52 1722

3. C:\Windows\system32>repadmin /replsum

DC1 03h:58m:59s 5/40 12 1722 The RPC server is unavailable.

DC2a 03h:58m:56s 5/10   50 1722 The RPC server is unailable.

My observations:

1. I checked  All dc server is UP and running fine ( rpc,netlogon services,adds).
2. Dcdiag /test: advertising is also Passed

Hi,

I have a windows server 2016 that ADDS role was installed on that. And I have an additional dc with windows server 2008, too. I'm going to install a windows server 2016 as a second additional domain controller but I got the below error:

The server that I want to promote it to the additional domain controller has been joined to the domain and can ping the domain controller. Any help would be appreciated.

Thanks

Hi All,

I am hoping someone is able to help.

We are undergoing a Domain migration and I am looking for a command that will tell me how many accounts have been pre-staged with SIDHistory on the Target Domain through ADUC.

I have a command which uses a custom search in ADUC which is SIDHistory:sidhistory=* but this does not return any accounts. I know there should be at least a few hundred but how many exactly we are not sure.

Any help would be greatly appreciated.

Regards.

Hi ,

We have one way trust between forest A and B.

A trust B

When users from B log on to A ,user policy from both the domain are not getting applied.

Enabled below settings in Forest A :

Loopbakc processing : Merge

Allow cross domain policy processing and roaming profile

Still no luck.

Please help me

forgive the double posting, but I selected the wrong forum initially.

I am having a problem with a user account getting this error consistently for the past few months.  I have finally narrowed it down using MS Network Monitor.

95613    9:26:00 AM 3/20/2019    2137.5229241        tigris.Accounting.local    DANUBE      KerberosV5    KerberosV5:AS Request Cname: user@domain.com Realm: ACCOUNTING.LOCAL Sname: krbtgt/ACCOUNTING.LOCAL     {TCP:3204, IPv4:15}
95614    9:26:00 AM 3/20/2019    2137.5234901        DANUBE      tigris.Accounting.local    KerberosV5    KerberosV5:KRB_ERROR  - KDC_ERR_C_PRINCIPAL_UNKNOWN (6)    {TCP:3204, IPv4:15}
95625    9:26:00 AM 3/20/2019    2137.5238680        tigris.Accounting.local    DANUBE      KerberosV5    KerberosV5:AS Request Cname: user@domain.com Realm: ACCOUNTING.EDT.LOCAL Sname: krbtgt/ACCOUNTING.LOCAL     {TCP:3205, IPv4:15}
95626    9:26:00 AM 3/20/2019    2137.5243039        DANUBE      tigris.Accounting.local    KerberosV5    KerberosV5:KRB_ERROR  - KDC_ERR_C_PRINCIPAL_UNKNOWN (6)    {TCP:3205, IPv4:15}
95643    9:26:00 AM 3/20/2019    2137.5795441        tigris.Accounting.local    DANUBE      KerberosV5    KerberosV5:AS Request Cname: user@domain.com Realm: ACCOUNTING.LOCAL Sname: krbtgt/ACCOUNTING.LOCAL     {TCP:3206, IPv4:15}

I have seen articles point to the SPN not being in the kerberos database but that is not the case here from what I see:

C:\WINDOWS\system32>setspn -L tigris
Registered ServicePrincipalNames for CN=tigris,CN=Computers,DC=Accounting,DC=local:
        MSSQLSvc/tigris.Accounting.local:1433
        MSSQLSvc/tigris.Accounting.local
        TERMSRV/TIGRIS
        TERMSRV/tigris.Accounting.local
        RestrictedKrbHost/TIGRIS
        HOST/TIGRIS
        RestrictedKrbHost/tigris.Accounting.local
        HOST/tigris.Accounting.local

C:\WINDOWS\system32>setspn -L user
Registered ServicePrincipalNames for CN=User,CN=Users,DC=Accounting,DC=local:

[ I noticed today that after I enable the account as Administrator, the user logs in but the kerberos ticket is non-existant until I do a setspn for the user name. ]

What am I missing? 

thanks

Hello I'm sort of new to DFS replication.

I'd like to get our DFS jobs running again.  One thing I'm worried about is replicating in the wrong direction and having our user community lose production files.  I'm also seeing this error event in the logs.  

Can you walk me through a safe process?  

my domain has an spn for domain\AppAccount for mssqlsvc/MySqlServer.domain.com. appaccount is running the sql service on MySqlServer.

assume unconstrained delegation has been working with this setup for years.

when I go into the delegation tab of appaccount to enable constrained delegation, and click add, users or computers, and search for MySqlServer, it lists services for all sorts of things, like host and www and http, but not for MSSQLSvc.

shouldn't there be an mssqlsvc? do I also have to register an SPN for the machine MySqlServer itself, even though the SQL service is running as Appaccount ?  will those not conflict?

When promoting a Windows Server 2016 to DC, adprep fails with an error that an attribute or value already exists.

The DN is CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=<domain>.

Forest and domain functional level is Windows Server 2008 R2, Exchange 2010 is also present in the domain. The result is the same if performed on the new-to-be DC implicit via Install-ADDSDomainController or directly on the schema master.

Here is the output from adprep:

PS C:\Temp\support\adprep> .\adprep.exe /forestprep

ADPREP WARNING:

Before running adprep, all Windows Active Directory Domain Controllers in the forest must run Windows Server 2003 or lat
er.

You are about to upgrade the schema for the Active Directory forest named '<domain>', using the Active Directo
ry domain controller (schema master) 'dc1.<domain>'.
This operation cannot be reversed after it completes.

[User Action]
If all domain controllers in the forest run Windows Server 2003 or later and you want to upgrade the schema, confirm by
typing 'C' and then press ENTER to continue. Otherwise, type any other key and press ENTER to quit.


c

Current Schema Version is 86


Upgrading schema to version 87


Verifying file signature
Connecting to "dc1.<domain>"
Logging in as current user using SSPI
Importing directory from file "C:\Temp\support\adprep\sch87.ldf"
Loading entries.
Add error on entry starting on line 1: Attribute Or Value Exists
The server side error is: 0x2083 The specified value already exists.
The extended server error is:
00002083: AtrErr: DSID-031513D7, #1:
        0: 00002083: DSID-031513D7, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90155 (appliesTo):len 72

0 entries modified successfully.
An error has occurred in the program
ERROR: Import from file C:\Temp\support\adprep\sch87.ldf failed. Error file is saved in C:\Windows\debug\adprep\logs\201
61125155706\ldif.err.87.

If the error is "Insufficient Rights" (Ldap error code 50), please make sure the specified user has rights to read/write
 objects in the schema and configuration containers, or log off and log in as an user with these rights and rerun forest
prep. In most cases, being a member of both Schema Admins and Enterprise Admins is sufficient to run forestprep.


Adprep was unable to upgrade the schema on the schema master.
[Status/Consequence]
The schema will not be restored to its original state.
[User Action]
Check the Ldif.err log file in the C:\Windows\debug\adprep\logs\20161125155706 directory for detailed information.


Adprep was unable to update forest information.
[Status/Consequence]
Adprep requires access to existing forest-wide information from the schema master in order to complete this operation.
[User Action]
Check the log file, ADPrep.log, in the C:\Windows\debug\adprep\logs\20161125155706 directory for more information.

The referenced ldif.err.87 file:

Entry DN: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=<domain>
changetype: modify
Attribute 0) appliesTo:7b8b558a-93a5-4af7-adca-c017e67f1057

Add error on entry starting on line 1: Attribute Or Value Exists

The server side error is: 0x2083 The specified value already exists.

The extended server error is:

00002083: AtrErr: DSID-031513D7, #1:
	0: 00002083: DSID-031513D7, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90155 (appliesTo):len 72


An error has occurred in the program

The referenced ldif.err file:

Entry DN: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=<domain>
changetype: modify
Attribute 0) appliesTo:7b8b558a-93a5-4af7-adca-c017e67f1057

Add error on entry starting on line 1: Attribute Or Value Exists

The server side error is: 0x2083 The specified value already exists.

The extended server error is:

00002083: AtrErr: DSID-031513D7, #1:
	0: 00002083: DSID-031513D7, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90155 (appliesTo):len 72


An error has occurred in the program

Can anyone shine some light into this matter and what to do?

Searching the internet I could not find anything resembling this.

Thanks a lot for any input!

Hi,

While creating AD groups in on-premises domain we have to follow our group naming standard.

We are planning to bring the naming standard for Azure Active Directory groups.

Let say end users can create their own AD groups however the naming standard should starts AzureAD-Groupname 

Please assist with your valuable answer.

Hi,

We had a grey _Msdcs folder beneath our domain name in DNS.. We also have the AD integrated one..

I removed the Name Server from it as there was only one old server in there and now the folder has vanished???

Is it not needed?

A bit worried now..

Hello, we use DFSN,R a lot in our company.

I have a situation where I need to replicate a folder called USERS on Server 1 and another folder called USERS on Server 2.

I was doing a test to insure they would merge and not over write anything.

To my surprise DFS will not even let me set it up because the folder name is the same.

How should I be doing this?