After upgrading domain controllers from Windows 2008 R2 to windows 2012 R2. We cannot copy an existing user that has a mailbox.We get the error Windows cannot create the object username because: The name reference is invalid.

Therefore, I applied Update Rollup 17 for Exchange Server 2007 Service Pack 3.

I am still getting the same error.

In addition, I am getting errors like

Consolidate: The Active Directory service Referral interface failed to service a client request. RFRI is returning an error.

The Directory Service Referral interface failed to service a client request.

RFRI is returning the error code:[0x3f0].

Referral Interface cannot contact any global catalog server that supports the NSPI Service.

Referral Interface cannot contact any Global Catalog that supports the NSPI Service.

Clients making RFR requests will fail to connect until a Global Catalog becomes available again.

After a Domain Controller is promoted to a Global Catalog, it must be rebooted to support MAPI Clients.

I am not finding anything wrong on the Global Catalog servers.

Is it safe to stop the Netlogon service before shutdown on domain controllers? We are experiencing logon issues with some applications (mostly BizTalk) when automatically patching our DCs using Windows Update.

Event 6913 can be seen in the BizTalk Server log.

An attempt to connect to "BizTalkMgmtDb" SQL Server database on server "BIZTALKDBSERVER" failed.
 Error: "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication."

I’ve read about others experiencing the same issues here:
 
https://blogs.msdn.microsoft.com/biztalknotes/2013/08/22/biztalk-hosts-fail-when-domain-controllers-are-rebooted/
https://support.microsoft.com/de-de/help/2683606/domain-members-fail-authentication-when-domain-controller-is-shut-down

https://blogs.msdn.microsoft.com/biztalkcpr/2009/02/11/do-you-see-the-following-errors-on-your-biztalk-server-every-time-you-reboot-your-domain-controller/
 
Also, from what I can find on the matter, it has long been a problem that domain controllers stop dealing with authentication requests before reboot/shutdown. Shouldn’t this be fixed from Microsoft? Of course we can all set up scheduled tasks via GPOs, however that is no real solution to the actual problem.
 
Thank you.

Edit:

Maybe I should add some info about our environment in case anyone would actually work on this:

DCs running 2016 server

BizTalk 2013 R2 on 2012 R2 server

SQL 2014 on a 2012 R2 server

Hi Dears, 

I want to know why my Domain Controller has Time Delay every month approximately one minute, in there months has three minutes, however I set the  Date and Time at local time zone,

please help me

Ram

Dear All,

I did delegate a user to reset domain user passwords and modified their properties, he can do his tasks on majority of domain users but not for others. I did check those users and they'r member of a security group " technical support" which has the privileges to do remote desktop on domain computers and also member of domain computers. All members of that group are having admincount 1, and as my understanding even i remove this value it well added back after an hour. I did add that user to same group" technical support" and he's admincount 1 but still he can't reset any member of that group. Enable inheritance is disabled for those users as well, i did enable it but it disabled again. Is there is any way to let that user to reset all members on that group.

Thank You

First let me say that I have almost no experience with powershell.  I know how to dump some code in to a .ps1 file to be run like a batch file.  Here is what I'm trying to figure out.

We're going to be using an ADLDS attribute, "Description", to add data for which type of application someone uses on our site, and separate those applications with semi colons.

Example app1;app2;app3;app4

I need a script that will read this attribute and parse those apps in to variables, then execute something based on the variable.

Example: I need to see if a user has app2 in the user account description field, see if their account is enabled, and if their account is enabled, , pull them in to a csv file, then email that file to a distribution list. 

So I end up with a csv file listing how many users have app1 or app2.

Any help is greatly appreciated.

here is a script that seems to work to pull some of that data from ADAM.

Hi All,

I'm running into an issue when deleting (3) child domains on a Windows 2008 R2 functional level domain. The child domains have been severed for several years and the child domain DCs have been removed from the domain utilizing NTDSUTIL. When attempting to use ntsdutil: metadata cleanup > remove selected domain, I receive error: DsRemoveDsDomainW error 0x2015(The directory service can perform the requested operation only on a leaf object.)

Output:

metadata cleanup: select operation target
select operation target: list sites
Found 4 site(s)
0 - CN=site1,CN=Sites,CN=Configuration,DC=domain1,DC=com
1 - CN=site2,CN=Sites,CN=Configuration,DC=domain1,DC=com
2 - CN=site3,CN=Sites,CN=Configuration,DC=domain1,DC=com
3 - CN=site4,CN=Sites,CN=Configuration,DC=domain1,DC=com
select operation target: list domains
Found 4 domain(s)
0 - DC=domain1,DC=com
1 - DC=child1,DC=domain1,DC=com
2 - DC=child2,DC=domain1,DC=com
3 - DC=child3,DC=domain1,DC=com
select operation target: select domain 1
No current site
Domain - DC=child1,DC=domain1,DC=com
No current server
No current Naming Context
select operation target: quit
metadata cleanup: remove selected domain
DsRemoveDsDomainW error 0x2015(The directory service can perform the requested operation only on a leaf object.)

After looking up the error, it appears it's due to the DomainDnsZones still being available. So I ran NTDSUTIL: partition management > list and have (10) naming contexts available, but I'm not sure which ones to remove.

C:\Windows\system32\ntdsutil.exe: partition management
partition management: list
Note: Directory partition names with International/Unicode characters will only display correctly if appropriate fonts a
nd language support are loaded
Found 10 Naming Context(s)
0 - CN=Configuration,DC=domain1,DC=com
1 - CN=Schema,CN=Configuration,DC=domain1,DC=com
2 - DC=domain1,DC=com
3 - DC=child1,DC=domain1,DC=com
4 - DC=child2,DC=domain1,DC=com
5 - DC=child3,DC=domain1,DC=com
6 - DC=DomainDnsZones,DC=child1,DC=domain1,DC=com
7 - DC=DomainDnsZones,DC=domain1,DC=com
8 - DC=DomainDnsZones,DC=child2,DC=domain1,DC=com
9 - DC=ForestDnsZones,DC=domain1,DC=com
partition management:

Do I remove the DomainDNSZones entries for the child domains I'm attempting to remove or do I remove all child domain records above?

I recently renamed several sites to align with infrastructure changes made on the back-end which include metadata cleanups for legacy child domains and DCs. (Link below)

https://social.technet.microsoft.com/Forums/windowsserver/en-US/2f2d01fa-3eb8-4b9e-b9ac-fa42cbbdad00/unable-to-remove-child-domains-windows-2008-r2-functional-level?forum=winserverDS#fcc5c567-f684-4d39-bef3-8a3deb760f6d

After renaming the sites I noticed the old site names and SRV records are listed under _msdcs.domain1.com and other containers.

Question: Can I safely remove the old site names since the new site names and records are available?

We have two different AD DS in our company. First for the Domain client user login(abc.com) and second for theExchange mail service(xyz.com). We currently have approximately 500 users in our company. We have created users in both the domain for their specific purpose. Now we want to remove first domain(abc.com) from our company permanently and use a single domain(xyz.com) We have exchange mail user in our second domain already created.

Now can I use same user created in xyz.com for mail services and domain user login also? or Do I need to create all the users for client login again?

If no then, do it effect in mail service after using the same user for logging on to the client computer?

What about the groups for assigning security since I have created only distribution groups for the mail services in the second domain(xyz.com)?

Can you please help me?

Thank You

Hello Team,

I am new to Active Directory. So I want to ask that what is the path to learn active directory and get certified in that.

Also want to know that what is the pre-requisite required to learn Active Directory.

Regards,

Vipin

In our environment we had three domain controller as single forest and all the servers on windows 2008 R2, one is located at branch office in different region, two at Head Office among which one is PDC. Additional DC has crashed today ( Hardware failure), now i am planning to have Windows 2012 R2 DC on new Hardware. kindly suggest the best practice to achieve this. kindly note i had Wins and Certification authority also on the crashed server.

I am a complete rookie when it comes to these things, so please bear with me.

I have an LDIF file myfile.ldif with the following contents:

dn: dc=mydomain,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: MyOrg

There  is more stuff after this, but this will do.

When I try to import it, I am getting the following:

C:\sds>ldifde -i -f myfile.ldif
Connecting to "<ip-address>"
Logging in as current user using SSPI
Importing directory from file "myfile.ldif"
Loading entries.
Add error on entry starting on line 1: Unwilling To Perform
The server side error is: 0x2079 The specified instance type is not valid.
The extended server error is:
00002079: SvcErr: DSID-033308F0, problem 5003 (WILL_NOT_PERFORM), data 0

0 entries modified successfully.
An error has occurred in the program
No log files were written.  In order to generate a log file, please
specify the log file path via the -j option.

I have no clue as why this is failing, and on the first line too. Any suggestions on how to diagnose and fix this?

Hi,

We created an application group with a Web App (client) and Web API (RP) in AD FS 2019 to support the oauth2 autorisation code grant flow between the two of them (Web Browser to Web App with Oauth confidential client).  Everything is working as expected, I can get the authorization code, the acess token and validate the token using the corresponding Owin middleware in our API. However, there is one thing I was not expecting: the user is never prompted for consent.<o:p></o:p>

From the documentation of that specific scenario (ADFS scenarios for développer), it appears to be the normal behavior :

Because AD FS uses a model of administrator consent, users are not prompted for consent when accessing resources. By configuring the application group, the administrator in effect provides consent on behalf of all application users.

Thing is, I am not sure in our case that an admin consent is acceptable (we are using oauth2 specifically so that the user can give their consent). So, I was wondering if there is a way to have a user consent page in AD FS 2019?  A bit like in Azure AD (as from the consent framework documentation).

Is it something we're missing in the application group configuration (or AD FS oauth implementation altogether)?   

Thank you,

Simon

I've read the existing questions regarding the computer LastLogonTimestamp, and cannot seem to find an exact answer to this question. Possibly it was answered and I didn't understand the answer or overlooked it.

I understand the relationship to the ms-DS-Logon-Time-Sync-Interval and that it is only going to update at minimum, when this condition (14 days plus or minus 5% by default) has been met. What I still don't understand is, once this condition has been met, what other events will specifically update the computer LastLogonTimestamp, and/or are these events the same as the ones that will update this attribute for theuser LastLogonTimestamp?

I am not a domain admin (and no genius), but I'm being asked to pull information from AD to track down obsolete/unused computers, which I understand is exactly what this attribute is for. But I have to fully understand and explain the attribute before I go to my boss with a report that is based on it. I've been using the PwdLastSet attribute, but he wants to report on a shorter interval so I'm trying to understand this attribute.

For instance, if a computer sits on, connected to the domain, but no user ever logs on, will it update this attribute only when the PwdLastSet attribute updates every 30 days? Or if a user is logged on and never logs off, what authentication events, performed by the user, will update the computer LastLogonTimestamp attribute? Does a simple user logon update the computer LastLogonTimestamp? Any help you can provide would be appreciated.

It might be worth noting that we have some 8,700 computers whose PwdLastSet attribute has changed in the last 60 days, but over 14,000 computer names in AD. These computers are spread out across North America. A visual inventory is not an option.

Thanks

MikeHess2112

Hi,

I have a orphaned subdomain with 4 DCs  (sub.root.local) (two of them as GC), where I can't contact nothing on parent domain (root.local). Previously, we had to delete all settings that pointed to sub.root.local in root.local, because they could not promote a new server to be Global Catalog. Now I'm having the same problem, but it's on my end. I successfully promoted two new DCs, but I'm receiving the following warning after running repadmin /showrepl 

DSA Options: IS_GC
    WARNING:  Not advertising as a global catalog.
Site Options: IS_GROUP_CACHING_ENABLED

I was directed to use Microsoft Tool named AD Replication Status Tool and almost every test passed, except for this:

Synchronization attempt failed because the destination DC is currently waiting to synchronize new partial 
attributes from source. This condition is normal if a recent schema change modified the partial attribute set.
The destination partial attribute set is not a subset of source partial attribute set.

The above test is a synchronization with DC=root,dc=local and it appears only in the olders DCs, that are Global Catalogs.

I'm thinking of using ntdsutil to remove the references to root.local, but I'm not sure if this would break my enviroment, since I didn't found any information about using ntdsutil to remove parent domain.

Please, if you do need more information I will be pleased to answer.

In our environment we had three domain controller as single forest and all the servers on windows 2008 R2, one is located at branch office in different region, two at Head Office among which one is PDC. Additional DC has crashed today ( Hardware failure), now i am planning to have Windows 2012 R2 DC on new Hardware. kindly suggest the best practice to achieve this. kindly note i had Wins and Certification authority also on the crashed server.

Hi Team

DO we have any options to enable or deploy File and Print sharing in firewall  using group policy .

Hi All,

I have noticed recently after the SET command in CMD that my laptops LOGONSERVER is a Domain Controller server not in the same location as the laptop. For example my laptop is located in HQ but the Domain Controller logon server is in a different office some miles away.

Sites and Services are all setup as per Microsoft recommendation e.g. most of the Satellites sites DC's connect and replicate to DC's in HQ. I would have thought that the machines would pick up their closest DC but that does not seem to be the case here.

Can someone explain how a client machine gets a LOGONSERVER when logging onto a domain.

Any information would be greatfully received.

Regards.

Hi, 

In any option available to show the domain user login display no of attempt left to login or bad password count

Please help to update the query 

Hi,

I have single Domain Controller 30 machines are not able to contact the Server then possibly i checked internet in the Directory Server i was not able to browse Internet though Directory Server. Then i ran dcdiag /fix, I got the following errors. I have checked the network interface too but still i am unable to resolve the issue.

Other Machines connected to the Directory Server are getting internet.

Other Errors from the NETLOGON Service : Event 5722

The session setup from the computer WS-15 failed to authenticate. The name(s) of the account(s) referenced in the security database is WS-15$.  The following error occurred: Access is denied.

DistributedCOM : Event 10016

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

C:\Windows\system32>dcdiag /fix

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = ADServer2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\ADSERVER2
      Starting test: Connectivity
         The host a5062caf-4ee7-400f-a70d-9e4d8e84e0f0._msdcs.ad.xxxx.com could not be resolved to an IP address. Check the DNS server, DHCP, server name,
         etc.
         Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
         ......................... ADSERVER2 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\ADSERVER2
      Skipping all tests, because server ADSERVER2 is not responding to directory service requests.


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : ad
      Starting test: CheckSDRefDom
         ......................... ad passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ad passed test CrossRefValidation

   Running enterprise tests on : ad.vinformax.com
      Starting test: LocatorCheck
         ......................... ad.xxxx.com passed test LocatorCheck
      Starting test: Intersite
         ......................... ad.xxxx.com passed test Intersite

Kindly help me to sort out the issue.

Regards,

D.Nithyananthan.

Thanks &amp; Regards, D.Nithyananthan.