Hello tech world, I ran the following command on DC01 (however DC02 passed test RidManager), both are in the same site, both can talk with the Rid Master, all DC's ports are open, i.e 389,636,53,123,88,135,137,138,139,445,464,3268,3269

DCDIAG /Test:ridmanager /v

then got the following error:

Available RID Pool for the Domain is 64878 to 1073741823

FQDN is the RID master

DsBind with RID Master was successful

Warning: attribute rIdSetReferences missing from CN=server,ou=xx,ou=domain controllers,dc=xx,dc=xx,dc=xx

Could not get Rid set Reference :failed with 8481

The search failed to retrieve attributes from the database. Server failed test RidManager

Hi guys,

Scenario: I have a service account that is granted permission to run a script on a server. I've noticed that when other users who are non-domain admin sometimes use the credentials for the account to run a script they get access is denied.

I come in and run the same exact script with the same service account credentials and it works. Funny part is once I run it and it works then when they try it works again till they have the issue again. The account is not locked, disabled or anything like that whenever this happens. Password is set to never expire.

This does not make sense to me because they are doing "run as" and using the same credentials I'm using.

Is there a permission that is needed from AD or maybe on the server for other users to be able to use the credentials?

Hello,

We have followed this guide and have two DHCP servers in load sharing mode not split scope. 

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831385(v=ws.11)

Now when we go and manage scope items in DHCP are the changes supposed to replicate between the two servers?

A year ago I created a group policy called 'Domain Controller Audit Policies' and configured the 'Advanced Audit Policy Configuration\Audit Policies' to enable all the audit policies under DS Access for both Success and Failure. I verified that 'Audit Directory Service Changes' is enabled. This GPO is applied to my 'Domain Controllers' OU.

I was confident that I would be able to gather the event logs when a computer object in AD was created, modified, move, or undeleted.  At least until my company's security team wanted to know who deleted an important computer last night.

So I searched for Security event 5141 to find who made the change. Nothing on any of my 28 domain controllers. Horrified.

So red-faced I searched for Security events 5137, 5138, 5139, and 5141 on all my domain controllers. NOTHING.

I do see 5136 events for dnsnode changes but nothing else. No records of any other AD object changes. A medium sized company should have hundreds listed.

There must be a configuration that I am missing so we can capture events for computers, users, OU, etc.

Please advise.

We are planning to discontinue using Access Manager, due to end of support after a year and we plan to do user management tasks via Powershell scripts and ADSI Edit. However we are unable to create new user roles via Powershell or ADSI Edit..            Is anyone aware of a similar user friendly tool, like Access Manager available for user management for AD LDS?                                                                 Thanks, Satish Vartak

Dear Team,

Consider my organization having different  subnets or networks

My Domain Controller (With DNS)

Ip : 172.17.23.152

subnetmask : 255.255.255.0

Gateway : 172.17.23.1

2ND Domain controller (With DNS)

Ip : 172.17.23.153

subnetmask : 255.255.255.0

Gateway : 172.17.23.1

Client 1( machine joined to domain Successfully)

Ip : 172.17.23.20

subnetmask : 255.255.255.0

Gateway : 172.17.23.1

and DNS we have given

primary 172.17.23.152 ( ip of 1st domain controller )

secondary 172.17.23.153 ( ip od 2nd domain controller )

Client 2(different subnet and gateway & not able to join domain)

Ip : 172.17.21.56

subnetmask : 255.255.255.0

Gateway : 172.17.21.1

and DNS we have given

primary 172.17.23.152 ( ip of 1st domain controller )

secondary 172.17.23.153 ( ip of2nd domain controller )

while trying to join domain it is giving error 

 172.17.23.152

 172.17.23.153 

how can  i join my client 2 to domain??

Regards 

Aghil

Hi Support,

I have remove the domain controller 2008 r2 and promote again but name is still showing and RODC unable to communicate with new Domain controller.

I have remove all the old domain controller from DNS and site & services and active directory pc but still when run the below command the showing old server name:

Remove the Old server TEST-LAB-DC-01 ip address 10.0.045

Hello,

like I said in a title, I am trying to delegate permission for moving user object to its subOUs.

I have spent lots of time doing research and tests on this topic and almost all of the answers says that I need to to the following:

Source OU:

- This object only - Delete User Objects

- Descendant User objects - Write Distinguished Name, Write Name, Write name

Destination OU:

- This object only - Create User objects

All permissions are delegated to the test group.

But the thing is that in doesn't work. While trying to move the test user I get an "Access denied" error.

Is there anything I can do more to make it work? I would like to keep it as simple and as minimal as possible.

Hi Experts i have an OU for which i need to export users list to csv file with the below information. Experts help me with the powershell command to achieve this

UserPrincipalName
Display Name
Last Login Date
Account is enabled or disabled
Manager

Hi guys, I need advice regarding AD Site Connections.

Breakdown: 

I have 5 Sites. Lets called them Site A, B, C, D and E. Each site have two domain controllers each. 

We can say A1(Site A Domain Controller 1) B2(Site B Domain Controller 2) E1(Site E Domain Controller 1) etc...

Constant changes are made throughout the day mostly on site A and Site D. Only few changes whatsoever from B,C,E. Any change from A1,A2 or D1,D2 needs to be updated immediately on Site A and D. It is fine for Site B,C,E to get update in 15 mins max.

What is the best way to setup the connections between all 5 sites?

Here's the current setup:

Site A

A1 - Connection to E1 and A2

A2 - Connection to A1

Site B

B1 - Connection to B2 and E2

B2 - Connection to B1, E1 and E2

Site C

C1 - Connection to E1 and C2

C2 - Connection to C1

Site D

D1 - Connection to D2, E2, A2 and C2

D2 - Connection to D1

Site E

E1 - Connection to B1, A2, B1, B2, E2

E2 - Connection to B1, B2, D1, E1 and C2

Hello,

I've inherited a partially completed ADFS implementation. The purpose is to provide authentication services for a in-house Web application. We have a 2-way trust between Domain A and Domain B. We have a single server ADFS farm located in Domain A. Auth through the web app works just fine for ADDS users in domain A. When authenticating with an account in Domain B the The ADFS test login page doesn't complete the process and the login screen just refreshes with no indicators as to why the login attempt didnt complete. 

Hello

I created Home User in Active Directory,

I want to hide the URL of the Netwok drive

NB :attached herewith

network Drive : (\\CONTOSO.DZ\SHARE01\ ) (R:) ........> i wante to have this results in my network drive juste (R:)

Iwante Hide  (\\CONTOSO.DZ\SHARE01\ )

Think's

Dear Forum,

we have the problem with our dns server, when we done join computer client to domain. and can't see host record (A ) record on DNS server. what's the problem with our DNS server? i'm looking for help for this problem. thanks Advance.

This is a strange one.  It keeps happening... 

I have a total of 8 Domain controllers,  this only happens to one specific site and one specific child domain.

Server 2012r2 and Server 2016. forest level of 2008r2 

the DC will be working fine, handling all requests etc.   However when you reboot,  you can no longer log in to console. 

This is happening on physical and virtual machines. 

If I disable the vm's nic in VMware, start the machine up with out being connected to the network, I can log in.  Then I turn the nic back on.

The other symptoms are when the machine reboots it uses all ram assigned to the VM if it is going to fail. 

It will get to 'waiting for ADDS', then reboot again. 

When it does come up, I can enter my password (or any password) and it won't allow me in. 

I disconnect the nic, reboot, it allows me to log in and turn the nic back on. 

Some of the things I'm seeing in event viewer

The winlogon notification subscriber <GPClient> is taking long time to handle the notification event (CreateSession).

I'm trying to create an OU using the command prompt.

I am running the following command in ntdsutil partition management:

create nc DC=xxx,DC=xxx,DC=xx NULL

It gives me the error:

ldap_add_ext_sW error 0c44(68 (Already Exists).

When I check the partitions in ADSI Edit, I don't see the partition there. So I can't delete it because it's not there, but I can't create it because the system is saying it already exist.

Has anyone run into this issue before? Any ideas on how I can get this OU created? I have to create this specific OU for one of our programs to work.

Running on Windows Server 2012 R2

Thanks,

Recently we upgrade (migrate) domain controllers from WS 2003 to WS 2016. The Domain functional level is still on 2003. Everything was looking fine until the clients wasn’t able to take the GPOs. We did the research and found out that system account of the client Windows 10 (compname$) is not able to access to the domain junction in SYSVOL folder on Domain Controller. The NTFS and share permission look fine.

Any idea why the client system account is getting access denied?

Hi All, 

We have around 8 AD servers along with 4 multiple AD sites running 2008 server. More Than 4500 users with multiple subnets. 

All the AD servers are running some application and services like DNS, DHCP, ADFS, Attendance file system, Ad Audit Plus.. etc. 

Active Directory is synced with cloud. Currently we are facing a lot of issues like replication, authentication issue, downtime issue, application down issues.. etc.

In our concern kindly clarify and explain below: 

1. Best practices for AD with multiple sites along with DNS, DHCP services and applications.

2. Whether we can implement with old servers or we need to migrate the servers from old to new. 

3. How to avoid AD Replication and user authentication latency issues.

4. Ho do we overcome application latency issues and downtime issue. 

5. How do we set Site and services topology for multiple site replication. 

6. Is it enough Additional Domain Controller or we needing Child Domain. 

7. Is it the better choice rather branch offices in RODC servers.

8. Best Practices for Active Directory Infra. 

9. How do we set FSMO roles along with multiple sites.

10. Domain Controllers capacity for users. 

Thanks,

Leenas

Hi,

 Need urgent help guys... I know not a Good setup.. but thats what our budget allowed us...

I had I physical server AD and on top of it I had HyperV with SecondaryAD, Exchange. A normal iCore5 desktop as 3rd AD server.

My Physical HDD died and I had to do a fresh Install. but hell broke loose...

My Virtual SecondaryAD cant connect to Domain, AD users & Computers says cannot connect to domain, Cant open ADSIEDIT cannot connect to domain... Even on the 3rd AD.. same issues...

The Sysvol & Netlogon folders are blank..

I did metacleanup and removed my corrupt AD but the remaining 2 servers are still of no use.

DCDIAG

dcdiag /fix

Directory Server Diagnosis

Performing initial setup:
  Trying to find home server...
  Home Server = PrimaryAD
  * Identified AD Forest.
  Done gathering initial info.

Doing initial required tests

  Testing server: Default-First-Site-Name\SECAD
      Starting test: Connectivity
        ......................... SECAD passed test Connectivity

Doing primary tests

  Testing server: Default-First-Site-Name\SECAD
      Starting test: Advertising Fatal Error:DsGetDcName (SECAD) call failed, error 1355
        The Locator could not find the server.
        ......................... SECAD failed test Advertising
      Starting test: FrsEvent
        ......................... SECAD passed test FrsEvent
      Starting test: DFSREvent
        There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
        replication problems may cause Group Policy problems.
        ......................... SECAD failed test DFSREvent
      Starting test: SysVolCheck
        ......................... SECAD passed test SysVolCheck
      Starting test: KccEvent
        ......................... SECAD passed test KccEvent
      Starting test: KnowsOfRoleHolders
        ......................... SECAD passed test KnowsOfRoleHolders
      Starting test: MachineAccount
        ......................... SECAD passed test MachineAccount
      Starting test: NCSecDesc
        ......................... SECAD passed test NCSecDesc
      Starting test: NetLogons
        ......................... SECAD passed test NetLogons
      Starting test: ObjectsReplicated
        ......................... SECAD passed test ObjectsReplicated
      Starting test: Replications
        ......................... SECAD passed test Replications
      Starting test: RidManager
        ......................... SECAD passed test RidManager
      Starting test: Services
            DFSR Service is stopped on [SECAD]
        ......................... SECAD failed test Services
      Starting test: SystemLog
        An error event occurred. EventID: 0x00000423
            Time Generated: 06/01/2019 02:53:04
            Event String: The DHCP service failed to see a directory server for authorization.
        An error event occurred. EventID: 0xC00038D6
            Time Generated: 06/01/2019 02:58:48
            Event String:
            The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
        ......................... SECAD failed test SystemLog
      Starting test: VerifyReferences
        ......................... SECAD passed test VerifyReferences


  Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
        ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
        ......................... ForestDnsZones passed test CrossRefValidation

  Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
        ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
        ......................... DomainDnsZones passed test CrossRefValidation

  Running partition tests on : Schema
      Starting test: CheckSDRefDom
        ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
        ......................... Schema passed test CrossRefValidation

  Running partition tests on : Configuration
      Starting test: CheckSDRefDom
        ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
        ......................... Configuration passed test CrossRefValidation

  Running partition tests on : Mydomain
      Starting test: CheckSDRefDom
        ......................... Mydomain passed test CheckSDRefDom
      Starting test: CrossRefValidation
        ......................... Mydomain passed test CrossRefValidation

  Running enterprise tests on : Mydomain.com
      Starting test: LocatorCheck
        Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
        A Global Catalog Server could not be located - All GC's are down.
        Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
        A Time Server could not be located.
        The server holding the PDC role is down.
        Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
        A Good Time Server could not be located.
        Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
        A KDC could not be located - All the KDCs are down.
        ......................... Mydomain.com failed test LocatorCheck
      Starting test: Intersite
        ......................... Mydomain.com passed test Intersite

If I try giving permission to any folder I can see all users. but they are as Local users not Domain users..

Can anyone help me here...

Any pointer... Anything to bring this alive... I have approx 90 users attached who are offline since past 2 days....

creating now domain will be creating New Exchange too..

Please HELP!!

bikram

Scenario:

Site A (Being Decommissioned):

• DC1
• DC2

Site B (New Data Center):

• DC3
• DC4

Issue:

After building out net new DC3 and DC4 into the domain, and having them joined to the domain and promoted to domain controllers, I have moved the PDC role off from DC2 to DC4; When about to shut down DC1 and DC2, we noticed that when they are shut down any PCs are not able to login to the domain when they are shut off. Long story short, DCDIAG showed a bunch of errors listed below:

• DC1 - Failing dcdiag LocatorCheck PDC Error 1355
• DC2 - Failing dcdiag LocatorCheck PDC Error 1355
• DC3 - Failing Advertising, DSGetName returned info for DC1 when trying DC3
• DC3 - NetLogons failing (Unable to connect to Netlogon Share \\DC3\netlogon, Error 67)
• DC3 - Failing dcdiag LocatorCheck PDC Error 1355
• DC4 - Failing Advertising, DSGetName returned info for DC2 when trying DC4
• DC4 - NetLogons failing (Unable to connect to Netlogon Share \\DC4\netlogon, Error 67)

Any idea on what may be causing some of this and how to correct it so that I am able to properly decommission DC1 and DC2?

Hello, 

My journey into IT waters was a little bit rough but I'm getting better and better every day. And often, the rabbit holes go not only so deep but there are labyrinths/mazes all over (sounds like some poet or so! :D). Can anybody explain to me the difference between recovering deleted objects (like 10 deleted accounts) versus group deletion(with 10 accounts)?

I understand there is a difference if Active Directory Recycle Bin is enabled (we can go to it and recover the deleted object quite fast - can we do it with groups???). If there is no ADRB at our disposal, there is this ntdsutil,authoritative restore (either object or ou). So what's the story with deletion of groups? Another possibility was so called "tombstone reanimation" but this one lack restoration of proper permissions if I'm not mistaken. Is there any article explaining the difference or could some IT whizz kid drop some clues right here???

Thanks! 

========

"Unfortunately, no one can be…told what the Matrix is. You have to see it for yourself. This is your last chance. After this, there is no turning back. You take the blue pill , the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill , you stay in Wonderland, and I show you how deep the rabbit hole goes"Matrix