The Problem
I cannot query the AD from the AppsServer unless I leave the domain and restart, then rejoin and NOT restart

All are fully patched with latest updates 07/05/2019

Setup (All Server2019, all single NICs)
DC01: Physical running AD DS, DHCP, DNS and file and storage services
AppsServer: Physical running Hyper-V, IIS, print and doc, file and storage services and Azure AD Connect
DC02: Virtual running AD DS, DHCP, DNS and file and storage services

Communication between the two DC's is fine, although I do get DFS Replication Event 5008 quickly followed by 5004 on DC01
Pings between the two DC's are <1ms and never miss a beat.

DCDIAG From AppsServer
dcdiag /test:advertising /v /s:dc01
* Connecting to directory service on server dc01.
   Ldap search capability attribute search failed on server dc01, return value = 81

DCDIAG From DC02
Directory Server Diagnosis

Performing initial setup:
   * Connecting to directory service on server DC01.
   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=Primary,CN=Sites,CN=Configuration,DC=domain,DC=local
   Getting ISTG and options for the site
   * Identifying all servers.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=DC01,CN=Servers,CN=Primary,CN=Sites,CN=Configuration,DC=domain,DC=local
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=DC02,CN=Servers,CN=Primary,CN=Sites,CN=Configuration,DC=domain,DC=local
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Primary\DC01
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
         ......................... DC01 passed test Connectivity

Doing primary tests

   Testing server: Primary\DC01
      Starting test: Advertising
         The DC DC01 is advertising itself as a DC and having a DS.
         The DC DC01 is advertising as an LDAP server
         The DC DC01 is advertising as having a writeable directory
         The DC DC01 is advertising as a Key Distribution Center
         The DC DC01 is advertising as a time server
         The DS DC01 is advertising as a GC.
         ......................... DC01 passed test Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Test omitted by user request: FrsEvent
      Test omitted by user request: DFSREvent
      Test omitted by user request: SysVolCheck
      Test omitted by user request: KccEvent
      Test omitted by user request: KnowsOfRoleHolders
      Test omitted by user request: MachineAccount
      Test omitted by user request: NCSecDesc
      Test omitted by user request: NetLogons
      Test omitted by user request: ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: Replications
      Test omitted by user request: RidManager
      Test omitted by user request: Services
      Test omitted by user request: SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: VerifyReferences
      Test omitted by user request: VerifyReplicas

      Test omitted by user request: DNS
      Test omitted by user request: DNS

   Running partition tests on : ForestDnsZones
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation

   Running partition tests on : DomainDnsZones
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation

   Running partition tests on : Schema
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation

   Running partition tests on : Configuration
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation

   Running partition tests on : domain
      Test omitted by user request: CheckSDRefDom
      Test omitted by user request: CrossRefValidation

   Running enterprise tests on : domain.local
      Test omitted by user request: DNS
      Test omitted by user request: DNS
      Test omitted by user request: LocatorCheck
      Test omitted by user request: Intersite

IPCONFIG /All (disabled IPV6 on DC01 and AppsServer to test)
DC01
   Host Name . . . . . . . . . . . . : DC01
   Primary Dns Suffix  . . . . . . . : domain.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.local

Ethernet adapter NIC1:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 90-B1-1C-22-19-82
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.0.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.254
   DNS Servers . . . . . . . . . . . : 192.168.0.17
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Disabled -> just disabled to test

DC02
   Host Name . . . . . . . . . . . . : DC02
   Primary Dns Suffix  . . . . . . . : domain.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.local

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
   Physical Address. . . . . . . . . : 00-15-5D-00-60-0A
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::f5ad:b95d:529c:18d3%9(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.17(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.254
   DHCPv6 IAID . . . . . . . . . . . : 100668765
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-33-CA-A5-00-15-5D-00-60-0A
   DNS Servers . . . . . . . . . . . : 192.168.0.1
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Disabled -> just disabled to test

AppsServer
   Host Name . . . . . . . . . . . . : AppsServer
   Primary Dns Suffix  . . . . . . . : domain.local
   Node Type . . . . . . . . . . . . : Mixed
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.local

 Ethernet adapter NIC1:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #4
   Physical Address. . . . . . . . . : F0-1F-AF-E1-5E-0F
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.0.3(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.254
   DNS Servers . . . . . . . . . . . : 192.168.0.1
                                       192.168.0.17
   NetBIOS over Tcpip. . . . . . . . : Enabled

Other tests ran..
nltest /dsgetdc:domain.local /server:dc01
     DC: \\DC01.domain.local
     Address: \\192.168.0.1
     Dom Guid: 62ea49d6-7a05-4258-81d3-06dba557ffed
     Dom Name: domain.local
     Forest Name: domain.local
     Dc Site Name: Primary
     Our Site Name: Primary
     Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET WS DS_8 DS_9 DS_10

The command completed successfully

Pings between all serves work on IP and HOST names, Firewall has been disabled for all network types, Group Policies have been disabled except on domain controllers.  My local Windows 10 machine works without any issue and can query the AD.

I'm out of ideas and would appreciate any help.

Hi all,

Can anybody tell me what is exact replication time frame when we talk aboutAuthoritative or Non-Authoritative Restore of Active Directory? The key issue here is exact time: "not yet replicated" vs "already replicated" thing. I saw these docs:

Performing an Authoritative Restore of Active Directory Objects

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc779573(v%3dws.10)

Performing a Nonauthoritative Restore of a Domain Controller

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc784922(v=ws.10)

How can I know if it has already replicated if I know the deleted objects have been there for 1h? 2h? 1/2 hour? What's thedefault replication interval?

Can somebody briefly elaborate on  "not yet replicated" vs "already replicated" thing when we talk AD restoration of deleted objects? 

Thanks

Hello,

If I understand correctly, when we talk about RODC there is a clear distinction between delegating AD tasks and delegating somebody to manage hardware on RODC?

So if f.e I wanted to delegate creating of accounts to a person, I'd go and use delegation wiz:

But on another hand, if it comes to server management(hardware) I'd need to delegate it from Managed By tab? Am I on target or missing something???

Hi All,

I have faced an AD problem yesterday, and I have no experience in this kind of problem so I need some advice. We have a customer with multiple sites. They had moved their HQ to another city two months before while they're also working in the previous site, so we had built another infrastructure at the new site. Previously they had a single site with one server running 2012 (non-R2) Foundation in a single domain environment. Then, we installed a Linux based firewall at the new HQ and the old site, connected the sites by IPSec and installed the new DC (Win 2016 Standard) to the new HQ by joining it to the domain and promote as DC in the existing infrastructure. AD was fine as we had installed 3-4 more Win Servers in the new site, joined to the domain and everything was fine in the past 2 months. Now they're on a migration to a new site at the old HQ so there's the time to move FSMO roles to the new HQ and demote the old DC, as only a few PCs will remain in the prevoius city, they'll work fine through IPSec and no need for a new DC there. I had moved the FSMO roles 2 days before, first of all, and configured DHCP and DNS resolver on the Linux FW to forward DNS queries to HQ DC. Before FSMO move I had checked AD replication and run the dcdiag diagnostics and there wasn't any problem with the new DC. At the end of this project I have just stopped DNS and DHCP services to be sure that everything works through IPSec. I planned to demote the DC at the next evening if everything is fine on the test day. But users complained that DNS is not working as expected. After a few hours of investigation I have found that there's a problem with Active Directory. I had tried a server restart and then I got a lot of errors in event logs. Tried dcdiag again and found these problems:

(Netlogons) Unable to connect to the NETLOGON share! An net use or LsaPolicy operation failed with error 67

(DFSREvent) There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.

(Advertising) Warning: DsGetDcName returned information for \\SERVER..., when we were trying to reach SRV.... IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

NETLOGON and SYSVOLT shares are missing. All other tests were successfull.

I had googled a lot and found the D2/D4 DFSR solution. It is unclear for me what to choose, the authoritative or the non-authoritative restore and that on what DC I have to run the guide? In a case of a failure what Will lost, so in addition to normal backup that files I have to backup manually? I had moved the FSMO roles back to the old DC as it's dcdiag was fine, so can be a better solution to demote the new DC and install the role again? What could cause this problem as before FSMO move dcdiag was fine?

Every advice or idea is also appreciated!

I want to find all AD groups containing the word "prgm". I tried right-clicking the domain name, "Find..." , tested various combinations such as "prgm", "*prgm*" but incorrect results were returned.

Can this task be done using the AD User and Computer interface tools? (If not, how then?)

TIA,

edm2

Hey,

I have another interesting question. In Event Viewer there is this funny thing called Data Collector Sets that can be also used totroubleshoot AD. You can run it f.e from User Defined or f.e fromSystem.

Also, the templates usually create different types of things like: event traces, performance counters and configurations. My issue is to somehow measureREPLICATION. So in DCS you can either use a TEMPLATE which gives you a combination of all 3 or CUSTOM to select f.e onlyperformance counters. Can anybody explain to me in a plain terms what are those event traces? After a moment or few of research I found out that there are the whole bunch ofperformance counters I could use for replication (examples:)

• NTDS / DRA Inbound Objects Applied/sec
• Database adds/sec
• NTDS / DRA Inbound Values (DNs only)/sec

https://support.microsoft.com/en-ie/help/2981628/adrepl-troubleshooting-ad-replication-error-8461

A neat table is here(if anybody would need it):

Active Directory System Monitor Counters on the NTDS Object

https://www.itprotoday.com/active-directory/jsi-tip-5454-how-do-i-monitor-performance-active-directory

Can I use event traces to measure/check replication? When you run AD Diagnostic report, it will show the repl:

If I want to create them manually (for replication only)- what options would I have (betweenevent traces, performance counters and configurations)??? I understand that configs are about registry...

From my research I know there are performance counters, but should I include also the "event trace data" or even system config info? Can anybody explain this issue?

Thanks!

Made an idiotic mistake. Was trying to solve a sysvol/netlogon issue on a newly built off site DC. Was doing research and someone wrote that I should run the d4 flag in burflags. It was flagged as the correct answer so I didn't dig into it further as it  was1am. And I've never had to do a restore so was unaware of what that flag was. After I ran it I started digging more into it and realized what I've done. I checked my other DCs and they seem to be fine, I did not disable frs on the other DCs nor did I run an unauthoritative restore on them.

So I don't know how to assess the damage I've done. GPOs are fine, dns changes, user changes seem to replicate just fine.

To be honest, I want to just demote this problematic off site DC, remove the meta data and start over but considering I already ran the authoritative restore on it, I wanted to see if anyone knew if there were some steps I needed to perform or items to check before I demote this server and start over. Any guidance be appreciated. 

I was wondering if there is a way to force a user account, at logon, to authenticate to a specific domain controller?

Example would be if there are 3 domain controllers (DC1, DC2, DC3) and I want a user account to authenticate to only one of the controllers how do I force that user account to only look at DC2 for authentication and not any other DC server?

Not sure if this is even possible.

Any and all help is greatly appreciated,

Len

Leonard Hoffman

Made an idiotic mistake. Was trying to solve a sysvol/netlogon issue on a newly built off site DC. Was doing research and someone wrote that I should run the d4 flag in burflags. It was flagged as the correct answer so I didn't dig into it further as it  was1am. And I've never had to do a restore so was unaware of what that flag was. After I ran it I started digging more into it and realized what I've done. I checked my other DCs and they seem to be fine, I did not disable frs on the other DCs nor did I run an unauthoritative restore on them.

So I don't know how to assess the damage I've done. GPOs are fine, dns changes, user changes seem to replicate just fine.

To be honest, I want to just demote this problematic off site DC, remove the meta data and start over but considering I already ran the authoritative restore on it, I wanted to see if anyone knew if there were some steps I needed to perform or items to check before I demote this server and start over. Any guidance be appreciated. 

We are currently running ADFS version 3 in our production single domain. We are needing to standup another instance using ADFS version 4 to test a new application. Question we have is: Can we stand up multiple ADFS instances in the same domain independently?

Hi, I'm hoping someone can help with this question regarding DNS Forwarding:

I have an AD domain with 8 DNS servers across the country mix of (Win 2k8 R2/2012 R2/2016 servers).  

• 3 x Read Only (Secondary) DNS servers
• 4 x Master DNS servers

The 4 x Master DNS severs are:

• AD integrated zones
• Dynamic Updates = Secure Only
• Aging and scavenging is setup and working

I want to reduce internet traffic so that only 1 or 2 DNS servers are configured with my ISP DNS servers as forwarders or root hints.  Do I need to configure all the other DNS servers in the domain with the IPs of the 2 DNS servers I configure for External ISP DNS or root hints as Forwarders in order for them to resolve external sites?  

DNS1 - confirgured for ISP DNS or root hints

DNS2 - confirgured for ISP DNS or root hints

DNS3 - Set DNS1 & DNS2 on the forwarders tab?

DNS4 - Set DNS1 & DNS2 on the forwarders tab?

DNS5 - Set DNS1 & DNS2 on the forwarders tab?

DNS6 - Set DNS1 & DNS2 on the forwarders tab?

DNS7 - Set DNS1 & DNS2 on the forwarders tab?

Any help would be appreciated.

I recently migrated all the domain controllers in a multi site environment to Server 2016. In one of the sites one domain controller shows its name with some kind of a code (I believe its SID). Now it doesn't allow me to transfer fsmo roles to new server using the new server name (STWN-AD03), See attached. In sits and services and /replsummary also shows the server name with same name. 

I hope you can help me find what caused it. Like I mentioned this domain has 3 sites and changes replicated throughout all sites.

I was thinking replication delays might have caused it while I'm upgrading, because after upgrading Site A, I didn't check all changes are replicated to other 2 sites before moving on to Site B. Any thoughts? 

How can I fix this? I there any way without going for a fresh server? (because we already migrated a payroll application to the new server)

Janindu Nanayakkara

I am a complete rookie when it comes to these things, so please bear with me.

I have an LDIF file myfile.ldif with the following contents:

dn: dc=mydomain,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: MyOrg

There  is more stuff after this, but this will do.

When I try to import it, I am getting the following:

C:\sds>ldifde -i -f myfile.ldif
Connecting to "<ip-address>"
Logging in as current user using SSPI
Importing directory from file "myfile.ldif"
Loading entries.
Add error on entry starting on line 1: Unwilling To Perform
The server side error is: 0x2079 The specified instance type is not valid.
The extended server error is:
00002079: SvcErr: DSID-033308F0, problem 5003 (WILL_NOT_PERFORM), data 0

0 entries modified successfully.
An error has occurred in the program
No log files were written.  In order to generate a log file, please
specify the log file path via the -j option.

I have no clue as why this is failing, and on the first line too. Any suggestions on how to diagnose and fix this?

Hello

In our Organization we have configure 2-way forest trust relationship between 2 forest domains(ForestA and ForestB) with Transitive mode "Yes", Name Suffix Routing is properly set.

When checking for the trust validation the next window appear:

While checking with nltest /dclist:DomainB also give a list of DCs in the DomainB.

ForestA contain two child domain child1.ForestA and child2.ForeastA. ForestB dont have child domain.

Adding account from ForestB to ForestA's Domain Local group is success. But when we are trying to add account from ForestB to the Domain Local group in child1.ForestA it gives an error window below:

P. S. Conditional Forwarders is configured properly, all FQDNs of DomainB resolves successfully

Hi, I'm not a network guy (hopefully this is the right forum?), but I've created a new server, installed AD Users and Computers, and I'm trying to reach one of our domains. I'm logged in to the box with an admin account I'm logged in with on other servers able to reach the domain through AD Users and Groups.

Change domain and typing in the Domain name gives me the error in the Title. I am, however, able to ping it from the server. I took the IP and tried it in Change Domain, but got "Windows cannot connect to the new domain because: The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you."

Where do I go from here? How would I troubleshoot?

Thanks,

Scott

Hi Microsoft Team,

We are facing an issue which is as follows:

1.	We have a SQL based user management system.
2.	Now, we are planning to getting AD enabled for our production.
3.	The challenge is to see if for a desktop login, we can have the Active directory (AD) talk to the non-AD source like SQL for user authentication / authorization. We will need your help here in checking the technical feasibility of this.

Please let me remind you that this is a non-cloud based infrastructure.

Also, wanted to check if this is possible with a RADIUS configuration with AD (for desktop login).

Hi Dears, 

I want to know why my Domain Controller has Time Delay every month approximately one minute, in there months has three minutes, however I set the  Date and Time at local time zone,

please help me

Ram

Hi,

I have single Domain Controller 30 machines are not able to contact the Server then possibly i checked internet in the Directory Server i was not able to browse Internet though Directory Server. Then i ran dcdiag /fix, I got the following errors. I have checked the network interface too but still i am unable to resolve the issue.

Other Machines connected to the Directory Server are getting internet.

Other Errors from the NETLOGON Service : Event 5722

The session setup from the computer WS-15 failed to authenticate. The name(s) of the account(s) referenced in the security database is WS-15$.  The following error occurred: Access is denied.

DistributedCOM : Event 10016

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

C:\Windows\system32>dcdiag /fix

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = ADServer2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\ADSERVER2
      Starting test: Connectivity
         The host a5062caf-4ee7-400f-a70d-9e4d8e84e0f0._msdcs.ad.xxxx.com could not be resolved to an IP address. Check the DNS server, DHCP, server name,
         etc.
         Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
         ......................... ADSERVER2 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\ADSERVER2
      Skipping all tests, because server ADSERVER2 is not responding to directory service requests.


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : ad
      Starting test: CheckSDRefDom
         ......................... ad passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ad passed test CrossRefValidation

   Running enterprise tests on : ad.vinformax.com
      Starting test: LocatorCheck
         ......................... ad.xxxx.com passed test LocatorCheck
      Starting test: Intersite
         ......................... ad.xxxx.com passed test Intersite

Kindly help me to sort out the issue.

Regards,

D.Nithyananthan.

Thanks &amp; Regards, D.Nithyananthan.

Hi All,

I wanted to know about the exact ports which are required for communication between domain controller to domain controller and client to domain controller. I have to allow these ports through the firewall.

I have followed the technet library link and after my own testing created this list -

Client to DC Communication -

DC to DC communication -

Does these ports looks good ?

Experts please help.

Thanks,

Neeraj.