Hello Folks,

My domain controller is windows server 2016.

It is placed in DR site and its additional domain controller.

Its running on vmware infrastructure and we have taken snapshot of the VM, and revert it back after the changes.

Now we try to open the active directory users and computers we get the below error.

Good Morning,

I have 2 DCs in our main office and 1 DC in our remote office.

I needed to create a new GPO the other day for our remote office. I created it on our DC in the main location, and noticed the GPO never replicated to the remote office.

The GPO replicated, but none of the settings. I started digging around and noticed the C:\Windows\SYSVOL\domain\Policies folder within our DCs in our main office have the new folders, but the folders have not replicated to the remote office.

Folders as in {8ELJDKLNN.......} etc.

It appears that the replication hasnt occured in over a year or so.

What's the best way to resolve this or can I delete everything in the Policies folder on the remote DC and just copy from main DC to remote DC?

Hi 

I have two AD forest want to migrate the user and groups, ADMT 3.2 going to utilized for migration. 

over all user object: 5000

over all group object: 7000

multiple object I'm selecting and migrating to new domain. This taking long time to complete my project activity and also unable to track the migration activity.

I have 22 OU, each OU contains user and groups there is no nesting group involves all are Global group.

Please assist me in migrating the object in bulk method using ADMT tool. 

Dear everyone.

Why we can't change Zone dynamic update option ? We are using Active directory integrated. 

Thanks. 

Good morning,

First off let me fill you in on my environment.  I manage the windows environment for Pre-K through 12th grade public education.  For some reason some of our clients are getting the wrong logonserver which when this happens always ends up being the Pre-K domain server.  All of our other DCs/Sites are connected across town by 10gig fiber backbone, yet this one is connected through a 1 to 1 nat slow internet connection...yet the few times this happens and the LOGONSERVER is incorrectly selected it's ALWAYS this site.

I'll show you our site links / costs / replication Intervals if that helps...but I'm at a loss from staring at this too long and sure I'm overlooking something obvious.

Any Input/Suggestions are greatly appreciated!

Thank you!

Hi All,

I have a domain which is at 2008r2 functional level. All domain controllers are 2012R2 servers.

In our default domain policy, we have specified account lockout policies. These policies are applying to all our domain joined machines (verified exhaustively).  All the policies are working perfectly, the polices act as expected when thresholds are reached.

The problem I am having is this:

We have a resource domain used for development. We have 2, 1 way non-transitive trusts between this dev domain and our production domain.  When people login to the production domain from the dev domain with bad passwords, none of the account lockout policies are applying.

For example, a person will log into a machine in the development domain with their development domain credentials. They will then map a drive to our production domain using the production domain credentials. All is fine until they change their production domain password on another machine (usually their production domain machine). The machine in the development domain will then start issuing bad password attempts (literally thousands in a 12 hour period) but the production account will never lock out.

Is this expected behavior, or should those production accounts issuing thousands of bad passwords from the development domain computer get locked out? I have a hard time thinking that account lockouts only occur if you attempt to log in from a domain joined computer. Seems to me this would open the door to brute force password attacks, since the account will never lock out.

I have verified that all our domain controllers do have the lockup policies applied to them so therefore invalid password attempts should trigger a lockout, but that does not appear to be happening.

Any help or ideas would be appreciated.

Thanks,

John

Hi all,

We are doing a takeover on a Customer's plattform that currently has an AD on 2003 FFL/DFL.

However all the DCs are on 2008R2 OS.

Now, we're building a new platform for them, where we are going to deploy a new Forest on 2016 OS and 2016 FFL/DFL.

Obviously, they want us to create a Forest Trust between both ADs, until we can de-provision the old one.

Anybody know about limitations/Issues on this scenario? I mean, I've been searching on MSFT official documenation regarding Functional levels and I only can find DC OS compatibility, but nothing regarding Trust compatibilities or issues.

Furthermore, does anybody know about issues between these OS versions. Maybe something related with SMB protocol?

Thanks a lot in advance.

Hello,

I have a server 2003 domain forest. there are one parent domain and 3 child domain. Now i have created a one new forest on server 2019. how can sync user voice versa.

Thanks

Ashish jha

Hi 

May I know the use case of security-baseline-final-for-windows-10-v1903-and-windows-server-v1903.

https://blogs.technet.microsoft.com/secguide/2019/05/23/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903/?MC=Windows&MC=SecSys&MC=MSAzure&MC=WinServer&MC=SysMagSof

Refer the article for more information. May I know the use of security-baseline and how to implement in production infrastructure.

how do we get benefit in implementing the security-baseline.

Please assist with your answer.

hi all

its for second time posted this issue 

we have two dc

dc1= windows 2016 work as additional

dc 2= windows 2012 r2 work as PDc

when we  promote windows  2016 as additional,  SYSVOL not replicated from DC2 .

how can fix my issue to sync automatically between domain controller ?

*below link included DCDIAG output

https://1drv.ms/u/s!Ahj4Fm-4SY_Yb6t4vNREKUkcDJU

I've set the account lockout policy in the Default Domain Policy which is linked at the domain level. All other policies in our Default Domain Policy are applying correctly. However, the Account lockout threshold his not applying. I entered an incorrect password 34 times within 30 minutes for a user on one workstation. The badPwdCount goes up, but the account is never locked. 

On the client a net accounts shows the correct info:

C:\WINDOWS\system32>net accounts
<cut>
Lockout threshold:                                    17
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        WORKSTATION
The command completed successfully.

And gpresults on the computer show the default domain policy is applying. I don't have the Account Lockout Policies applied anywhere else.  

Our DCs are running Windows Server 2016 and the client is on Windows 10 1803

What am I missing?

Hello Guyz,

Recently, there was a mass update of existing sAMAccountName in AD in my organization.

Once the change has been performed successfully by IT team, max number of users were logged-in successfully using the new sAMAccountName and also were able to access .NET applications successfully.

However, there were few users whose sAMAccountName updated successfully on AD side, but after they login using updated sAMAccountName, the .NET applications still reflect the old sAMAccountName.

Definitely its not an .NET application issue, because 90% of users have no issues in accessing it after the sAMAccountName update.

I suspect somewhere still the old sAMAccountName is being stored in system which cause the issue. I tried already below workarounds.

1. Delete browsing history/cache

2. Delete temp internet files.

3. ipconfig/flushdns

4. Restart of laptop

Also, weird issue i noticed is when i opened cmd, I see the old sAMAccountName for affected users as below.

Any inputs on how to get the updated AD sAMAccountname reflected would be much helpful. Thanks.

I have read the article 'Kerberos Constrained Delegation Overview'.

I have the following scenarios:

1/

Server1 (Domain1) -> Server2 (Domain2) -> Server3 (Domain2)

2/

UserMachine1 (Domain1) -> Server2 (Domain2) -> Server3 (Domain2).

The examples I have seen on online are for scenario 1, where we have one UserId which we can switch delegation on for.

But what about scenario 2? We have multiple users wanting to access a RestApi directly under their own username with cross domain delegation.

Thanks in advance!

Arun

In process of switching dc from 2003std to 2008 x64 std sp2. downloaded 32 bit version of adprep.exe and ran adprep /forestprep with no errors. when running adprep /domainprep I get error messages.

Hi, trying to get adprep /domainprep to complete. adprep /forestprep ran fine. I received the following errors as pulled from adprep.log. Schema shows being at 44 (2008) Used ASDI to look at permissions. I believe permissions are where they are supposed to be, but not sure. Any help would be greatly appreciated.

Output from adprep.log

Adprep checked to verify whether operation cn=0b7fb422-3609-4587-8c2e-94b10f67d1bf,cn=Operations,cn=DomainUpdates,cn=System,DC=fia,DC=local has completed.[Status/Consequence]The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.

Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=71482d49-8870-4cb3-a438-b6fc9ec35d70,cn=Operations,cn=DomainUpdates,cn=System,DC=fia,DC=local.

LDAP API ldap_search_s() finished, return code is 0x20

Adprep verified the state of operation cn=71482d49-8870-4cb3-a438-b6fc9ec35d70,cn=Operations,cn=DomainUpdates,cn=System,DC=fia,DC=local. [Status/Consequence]The operation has not run or is not currently running. It will be run next.

Adprep was about to call the following LDAP API. ldap_add_s(). The entry to add is CN=Password Settings Container, CN=System,DC=fia,DC=local.

LDAP API ldap_add_s() finished, return code is 0x13

Adprep was unable to create the object CN=Password Settings Container, CN=System,DC=fia,DC=local in Active Directory Domain Services.[Status/Consequence]This Adprep operation failed.[User Action] Check the log file ADPrep.log in the (null) directory for more information. Restart Adprep.

Adprep encountered an LDAP error. Error code: 0x13. Server extended error code: 0x51b, Server error message: 0000051B: AtrErr: DSID-03150B5E, #1:
 0: 0000051B: DSID-03150B5E, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)
.

Adprep was unable to update domain information. [Status/Consequence]Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.[User Action] Check the log file, ADPrep.log, in the C:\WINDOWS\debug\adprep\logs\20101221105735 directory for more information.

I have spent the last 3 weeks researching/working on pulling this project off without a hitch (replacing a domain controller), however everything has gone horribly  wrong and I really need some help.

The machine that was decommissioned was a Windows Server 2008 R2 - 

DCpromo.exe fails  DCpromo.exe /forceremoval - also fails

I ended up powering off the old DC, and attempting manual deletion (yes I validated "project object from accidental deletion" is unchecked from sites/services and users/computers. I am logged in as an enterprise admin and I am still unable to delete the object from the OU - Domain Controllers. I used ADSI Edit to remove it and attempted a ntds metadata clean up from an online guide I found (this through a permissions error).

Now I have the new DC up, I used a different hostname but the same IP. I am able to get users to replicate across all domain controllers (I have 4), but NSLookup is failing on my local host machine and I see a slew of errors on the server itself.

Under DNS Tab on server manager I have: Error 4015 - DNs server has encountered a critical error from the Active directory etc.

Error 4013 - The DNS server is waiting for AD DS To signal the initial sync etc.

Error 407, 408 etc.

Under the AD DS Tab I have getting the following errors:

Error 1308, error 2087 & 4013

Hello Guyz,

Recently, there was a mass update of existing sAMAccountName in AD in my organization.

Once the change has been performed successfully by IT team, max number of users were logged-in successfully using the new sAMAccountName and also were able to access .NET applications successfully.

However, there were few users whose sAMAccountName updated successfully on AD side, but after they login using updated sAMAccountName, the .NET applications still reflect the old sAMAccountName.

Definitely its not an .NET application issue, because 90% of users have no issues in accessing it after the sAMAccountName update.

I suspect somewhere still the old sAMAccountName is being stored in system which cause the issue. I tried already below workarounds.

1. Delete browsing history/cache

2. Delete temp internet files.

3. ipconfig/flushdns

4. Restart of laptop

Also, weird issue i noticed is when i opened cmd, I see the old sAMAccountName for affected users as below.

Any inputs on how to get the updated AD sAMAccountname reflected would be much helpful. Thanks.

I’m having a very difficult time coming up with a good name for our new Enhanced Security Administrative Environment AD Forest (aka “Red Forest”). For security reasons, I won’t disclose what our actual internal domain names are, but the company name is represented by a three letter abbreviation. We have 3 different Forests, and this red forest would need to cover all of them.

So, not using our actual three letter abbreviation, our AD Forests are ABC.local (the primary Forest), abcorg.com (another Forest), and abc.public.com (DMZ Forest). It is very important that we pick a name for this new red forest that makes sense. it should identify it as a red forest (used for enhanced security), but also identify our company as being related to it (the “abc” abbreviation”). It should not be named in a way that gives the impression it is only used for one of our three forests, but for all of them (not to mention any that could be added in the future, but that is obviously less important...).

Can anyone provide some examples of names they have used for their red forests? Our primary internal forest is ABC.local, but I can’t use something like esae.abc.local because that would make it a sub-domain. I also don’t think I should use abc.com because we might eventually switch our internal domain to the dot com namespace....

It seems that a common naming method has not been devised for red forests yet, and I’m thinking that perhaps one should be. These AD Forests are always, by definition, going to be related to at least one other AD Forest. So, shouldn’t a common naming method be devised for them? Something that indicates “this is the red forest for <this> AD Forest.” I think that would help a lot of people/companies out, and the community in general.

Please comment with your suggestions specific to my circumstance, and/or your thoughts on a common naming structure for Red Forests in general.

Thanks!

-Evan

Hi All,

I am trying to automate this notification in our organization where a User's Manager receives a notification regarding the expiration of User's account. In case the Manager field is empty or Manager is disabled, the mail is sent to User informing the expiry and asking to update correct manager.

I tested the below script but the 'else' part does not works, I was able to receive mails where User's manager is Valid. (Invalid Manager= Disabled/empty)

Please help to get this work.

Import-Module ActiveDirectory
$From = "itservicedesk@xyz.com"

$SMTPServer = "mailrelay.xyz.com"
$startDate = Get-Date
$endDate = $startDate.AddDays(30)
$Users = Get-ADUser -Filter {AccountExpirationDate -gt $startDate -and AccountExpirationDate -lt $endDate -and enabled -eq 'True'} -Properties SamAccountName, name, mail, AccountExpirationDate, Manager


Foreach($User in $Users)
    {
        $ManagerID = $null
        $active = $null
        $ManagerID = Get-ADUser $User.Manager -Properties SamAccountName | select SamAccountName
        $active = Get-ADUser $User.Manager -Properties enabled | select enabled
        $ManagerName = Get-ADUser $User.Manager -Properties GivenName | select GivenName
        If 
            ($ManagerID -ne $null -and $active -ne "False") 
                    {
                            $Manager = Get-ADUser $User.Manager -Properties EmailAddress
                            $ManagerName = Get-ADUser $User.Manager -Properties GivenName
                            $To = $Manager.EmailAddress
                            $CC = $User.mail
                            $To = "myemail@self.com" #for testing
                            $Subject = "Network Account Expiration Notification for $($User.Name) ($UserID)"
                            $Body = "Dear $($ManagerName.GivenName),
The Network User Account of $($User.Name) will be expiring on $($User.AccountExpirationDate). The expiration of the account would mean that the user will not be able to login to network.

If the account is no longer required then kindly raise an Off-boarding request.
Off-boarding link: https://

If the account is still required, kindly use the below request template to extend the account’s expiration date.
Extension Request link: https://

For further assistance, please contact IT Service Desk.

P.S: This is an automated notification, please do not reply to this email.

Thanks & Regards,
IT Service Desk"
Send-MailMessage -To $To -From $From -Subject $Subject -SmtpServer $SMTPServer -Body $Body -Port 25
                    }  
        Else
                    {
                    #$To = $User.mail
                    $To = "myemail@self.com" #for testing
                    $Subject = "Network Account Expiration Notification for $($User.Name) ($UserID)"
                    $Body = "Dear $($User.GivenName),
Your Network User Account will be expiring on $($User.AccountExpirationDate). The expiration of the account would mean that you will not be able to login to network.

If the account is still required, kindly ask your manager to request for extension. Our systems do not have your current manager information and hence the email is being sent to you.
Extension Request link: https://

For further assistance, please contact IT Service Desk.

P.S: This is an automated notification, please do not reply to this email.

Thanks & Regards,
IT Service Desk"
Send-MailMessage -To $To -From $From -Subject $Subject -SmtpServer $SMTPServer -Body $Body -Port 25
                    }


    }