I have created several custom attributes in a test AD environment. Each is a single-valued unicode string that I have added to the user class. The first attribute I created works as expected. When I use get-ADuser -property CusAttribute1 I get back an object with type string. Every other custom attribute I have created I get back an object with type Microsoft.ActiveDirectory.Management.ADPropertyValueCollection.

Domain functional level 2008R2. I am able to extract the array to a string value in the select statement, but I don't understand why two attributes that were created in the same way are performing differently, and I don't want to have to extract the value from the array if I don't have to.

Get-ADuser someUser -Properties cusAttribute1,cusAttribute2 |gm

The expected result would be that cusAttribute 1 and 2 would have a type of String, but instead cusAttribute1 has a type of String and cusAttribute2 has a type of Microsoft.ActiveDirectory.Management.ADPropertyValueCollection and is an array with one value in it.

Hello,  I accidentally add a few accounts with their uid numbers in the 500M when it should have been 50M.  Of course this has created a few headaches with some linux clients which I managed to change their UID numbers.  Now whenever I add a new account the UID sequence to the next number in the 500M range,  is there an option in Active Directory which will allow me to change the UID start number to the 50M range?

Any help is appreciated.

LouB

Hi team, 

In my organization every users need to install software's and application in day to day activities. Every time server administrator should involve this task. we need to give that only the software installation permission to one particular user but he wont access any other activities and modification in the Active Directory domain level. 

Is there any Group policies or any other solutions to overcome the issue. 

Thanks, 

Lee

Dear Everyone!!

Please let's me ask some question relate to Sysvol DFSR on my domain.

Correctly my company have 3 DCs. DC1,DC2 is Head office and DC3 locate at DR office. we have setup new DC4 at DR office.

and i notices that DC4 no SYSVOL_DFSR. so what the issue on my DC4?

Noted: 

currently we are separate the role 

Schema master               DC-1.domain.com.kh
Domain naming master      DC-1.domain.com.kh
PDC                             DC-2.domian.com.kh
RID pool manager             DC-2.domian.com.kh
Infrastructure master        DC-2.domian.com.kh

Hi,

I am having two Win2012R2 Domain controller and nine RODC in remote area. I have noticed that SMBv1 is enable (which is default settings) and as per our security team recommendations i want to disable the SMBv1 from our Domain Controllers. And our DCs are also running DNS service. My question is, will there be any impact on our domain if we disable SMBv1. 

Thanks.

Hey,

I have noticed that one of my servers is no longer replicating SYSVOL directory. I found the following warning in logs:

The DFS Replication service has detected an unexpected shutdown on volume D:. This can occur if the service terminated abnormally (due to a power loss, for example) or an error occurred on the volume. The service has automatically initiated a recovery process. The service will rebuild the database if it determines it cannot reliably recover. No user action is required. 

Additional Information: 
Volume: D: 
GUID: BAC2E4F2-0000-0000-0000-100000000000

The recovery seems to be completed but some folders are still not replicating and I see the following entries in DFSR debug logs. Any ideas how to fix that ?

What is TechNet Guru Competition?

Each month Microsoft TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!

One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published inMicrosoft Wiki Ninjas blog, a tweet fromMicrosoft Wiki Ninjas Twitter account, links will be published atMicrosoft TNWiki group on Facebook, and other acknowledgement from the community will follow.

Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.

If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in July 2019 and must be in English. However, the original blog or forum content can be from beforeJuly 2019.

Come and see who is making waves in all your favorite technologies. Maybe it will be you!

Who can join the Competition?

Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.

How can you win?

1. Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
2. Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
3. (Optional but Recommended) Add a link to your article at the TechNetWiki group on Facebook to get feedback and tips from the council members and from the community. The group is very active and people love to help. You can even get direct improvements to your article before the contest starts.

Do you have any question or want more information?

Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read More about TechNet Guru Awards.

If you win, people will sing your praises online and your name will be raised as Guru of the Month.

PS: Above top banner came from James van den Berg.

Please, If you think your question has been answered click "Mark as Answer" if just helped click "Vote as helpful". This can be beneficial to other community members reading this forum thread.

I accidentally installed AD on W2K16 prior to changing to a static IP. Is there anything broken that I will need to fix? I changed the DNS records for the server but don't know if there is anything else I will need to change or fix once I move it to the correct IP.

TIA!

Hi Experts

we have  standard group policy for password expiry for 3 months, but i have seen few users get password expiry prompt before 3 Months. i have checked for one user from adsiedit and i can see his last password was changed one month back and GPO is 3 months and he got password expiry prompt, experts guide me on this.

Hi Support,

I want to customize below Domain Groups permission. like if i have assigned backup operator to any one of the admin after that they can only manage backup part and Restrict to do any thing related to active directory users, groups, computer, group polices etc.

2nd i have assign RDP access after that admin can't be make any changes on active directory or any other services. 

• Enterprise Admins
• Domain Admins
• Schema Admin
• BUILTIN\Administrators
• Account Operators
• Backup Operators
• Print Operators
• Server Operators
• Domain Controllers
• Read-only Domain Controllers
• Group Policy Creators Owners
• Cryptographic Operators

Hello Everyone,

I have a windows 2003 server with Identity Management for UNIX role (unix attributes), Now i have enabled Identity Management for UNIX in another 2012 server. However, for the users who have unix attribute enabled from 2003 server is not updated in new 2012 server. Only users accounts having this issue and groups GID are synced from old server. 

Anything i need to do to sync between these 2 servers ? or how can i fix this ?

Hi there,

We have a domain a.com that is not trusted by domain b.com i.e.,

a.com trusts b.com

b.com does not trust a.com

I have run into a problem where a user in a.com fails to logon from a computer in b.com wanting to access resources in a.com. The user was able to log on before and I don't know what may have changed.

We have a trust setup in 2012r2 which is the a.com domain but due to lack of network visibility I am unable to confirm what kind of trust it really is. Once I get visibility back I can check that out but in the meantime could I get some advise on what I need to check.

Many thanks,

Tony

Good morning, since many days ago I am trying to add an additional Domain Controller (Replica) to my customers AD infrastructure. Unfortunately, when wizard is trying to add the AD, appear an error: The wizard cannot gain access to the list of domains in the forest. Domain functional level is Windows 2012 (All servers in the domain are W 2012 R2). I checked about sharing files and printers option to be enabled (it is), also i checked on the DCs about DNS registers and some more things about resolution but I don't know why appears the error. I have read the dcpromoui.log and here is a piece of this, can someone help me?

dcpromoui 1340.13AC 0000 11:49:26.537 opening log file C:\Windows\debug\dcpromoui.log
dcpromoui 1340.13AC 0001 11:49:26.537 C:\Windows\system32\wsmprovhost.exe
dcpromoui 1340.13AC 0002 11:49:26.538 file timestamp 11/21/2014 21:44:53.032
dcpromoui 1340.13AC 0003 11:49:26.538 C:\Windows\system32\dcpromocmd.dll
dcpromoui 1340.13AC 0004 11:49:26.538 file timestamp 05/23/2019 17:44:47.985
dcpromoui 1340.13AC 0005 11:49:26.538 local time 06/22/2019 11:49:26.538
dcpromoui 1340.13AC 0006 11:49:26.538 running Windows NT 6.3 build 9600  (BuildLab:9600.winblue_ltsb_escrow.190505-1600) amd64
dcpromoui 1340.13AC 0007 11:49:26.538 logging flags 0001007C
dcpromoui 1340.13AC 0008 11:49:26.538 Enter CbsGetUpdateInstallState
dcpromoui 1340.13AC 0009 11:49:26.538   The category is 0
dcpromoui 1340.13AC 000A 11:49:26.538   Enter FindRoleInfo
dcpromoui 1340.13AC 000B 11:49:26.538     Enter CheckIsServerCore
dcpromoui 1340.13AC 000C 11:49:26.538       It is not on server foundation
dcpromoui 1340.13AC 000D 11:49:26.538       HRESULT = 0x00000000
dcpromoui 1340.13AC 000E 11:49:26.538   Enter GetUpdateName
dcpromoui 1340.13AC 000F 11:49:26.538   Enter GetPackageName
dcpromoui 1340.13AC 0010 11:49:26.774     Package name for Microsoft-Windows-ServerCore-Package is Microsoft-Windows-ServerCore-Package~31bf3856ad364e35~amd64~~6.3.9600.16384
dcpromoui 1340.13AC 0011 11:49:26.783   Enter CbsGetUpdateInstallState
dcpromoui 1340.13AC 0012 11:49:26.783     package name is Microsoft-Windows-ServerCore-Package~31bf3856ad364e35~amd64~~6.3.9600.16384 and update name is DirectoryServices-DomainController
dcpromoui 1340.13AC 0013 11:49:27.453   HRESULT = 0x00000000
dcpromoui 1340.13AC 0014 11:49:27.454 Enter CbsIsRebootRequired
dcpromoui 1340.1294 0015 11:49:27.588 Enter GetProductTypeFromRegistry
dcpromoui 1340.1294 0016 11:49:27.590   Enter RegistryKey::Open System\CurrentControlSet\Control\ProductOptions
dcpromoui 1340.1294 0017 11:49:27.590   Enter RegistryKey::GetValue-String ProductType
dcpromoui 1340.1294 0018 11:49:27.590   ServerNT
dcpromoui 1340.1294 0019 11:49:27.590   prodtype : 0x3
dcpromoui 1340.1374 001A 11:49:32.758 Enter GetExistingAccountForComputerInReplicaDomain
dcpromoui 1340.1374 001B 11:49:32.758   START TEST: GetExistingAccountForComputerInReplicaDomain
dcpromoui 1340.1374 001C 11:49:32.763   Enter Computer::RemoveLeadingBackslashes 
dcpromoui 1340.1374 001D 11:49:32.765   Using empty constructor
dcpromoui 1340.1374 001E 11:49:32.765   Enter Computer::Refresh
dcpromoui 1340.1374 001F 11:49:32.765     Enter IsLocalComputer
dcpromoui 1340.1374 0020 11:49:32.765     Enter RefreshLocalInformation
dcpromoui 1340.1374 0021 11:49:32.765     Enter GetProductTypeFromRegistry
dcpromoui 1340.1374 0022 11:49:32.765       Enter RegistryKey::Open System\CurrentControlSet\Control\ProductOptions
dcpromoui 1340.1374 0023 11:49:32.765       Enter RegistryKey::GetValue-String ProductType
dcpromoui 1340.1374 0024 11:49:32.765       ServerNT
dcpromoui 1340.1374 0025 11:49:32.765       prodtype : 0x3
dcpromoui 1340.1374 0026 11:49:32.765     Enter GetSafebootOption
dcpromoui 1340.1374 0027 11:49:32.765       Enter RegistryKey::Open System\CurrentControlSet\Control\SafeBoot\Option
dcpromoui 1340.1374 0028 11:49:32.765       HRESULT = 0x80070002
dcpromoui 1340.1374 0029 11:49:32.765       returning : 0x0
dcpromoui 1340.1374 002A 11:49:32.765     Enter DetermineRoleAndMembership
dcpromoui 1340.1374 002B 11:49:32.766       Enter MyDsRoleGetPrimaryDomainInformation
dcpromoui 1340.1374 002C 11:49:32.766         Enter MyDsRoleGetPrimaryDomainInformationHelper
dcpromoui 1340.1374 002D 11:49:32.766           Calling DsRoleGetPrimaryDomainInformation
dcpromoui 1340.1374 002E 11:49:32.766           lpServer  : (null)
dcpromoui 1340.1374 002F 11:49:32.766           InfoLevel : 0x1 (DsRolePrimaryDomainInfoBasic)
dcpromoui 1340.1374 0030 11:49:32.766           HRESULT = 0x00000000
dcpromoui 1340.1374 0031 11:49:32.766         MachineRole      : 0x3
dcpromoui 1340.1374 0032 11:49:32.766         Flags            : 0x1000000
dcpromoui 1340.1374 0033 11:49:32.766         DomainNameFlat   : FARMACIACHAVEZ
dcpromoui 1340.1374 0034 11:49:32.766         DomainNameDns    : farmaciachavez.local
dcpromoui 1340.1374 0035 11:49:32.766         DomainForestName : farmaciachavez.local
dcpromoui 1340.1374 0036 11:49:32.766       Enter IsDcInRepairMode
dcpromoui 1340.1374 0037 11:49:32.766   HRESULT = 0x00000000
dcpromoui 1340.1374 0038 11:49:32.766   Enter State::DetermineRunContext
dcpromoui 1340.1374 0039 11:49:32.767     Enter DS::GetPriorServerRole
dcpromoui 1340.1374 003A 11:49:32.767       Enter MyDsRoleGetPrimaryDomainInformation
dcpromoui 1340.1374 003B 11:49:32.767         Enter MyDsRoleGetPrimaryDomainInformationHelper
dcpromoui 1340.1374 003C 11:49:32.767           Calling DsRoleGetPrimaryDomainInformation
dcpromoui 1340.1374 003D 11:49:32.767           lpServer  : (null)
dcpromoui 1340.1374 003E 11:49:32.767           InfoLevel : 0x2 (DsRoleUpgradeStatus)
dcpromoui 1340.1374 003F 11:49:32.767           HRESULT = 0x00000000
dcpromoui 1340.1374 0040 11:49:32.767         OperationState      : 0
dcpromoui 1340.1374 0041 11:49:32.767         PreviousServerState : 0
dcpromoui 1340.1374 0042 11:49:32.767     Enter Computer::GetNetbiosName
dcpromoui 1340.1374 0043 11:49:32.767       SVRSCZDCFCH
dcpromoui 1340.1374 0044 11:49:32.767     Enter Computer::GetRole SVRSCZDCFCH
dcpromoui 1340.1374 0045 11:49:32.767       role: 3
dcpromoui 1340.1374 0046 11:49:32.767     NT5_MEMBER_SERVER
dcpromoui 1340.1374 0047 11:49:32.767   Enter State::GetRunContext NT5_MEMBER_SERVER
dcpromoui 1340.1374 0048 11:49:32.767   Enter FS::GetPathSyntax C:\Windows\system32
dcpromoui 1340.1374 0049 11:49:32.767   HRESULT = 0x00000000
dcpromoui 1340.1374 004A 11:49:32.767   Enter State::SetMode STAGETWO
dcpromoui 1340.1374 004B 11:49:32.767   Enter State::SetOperation REPLICA
dcpromoui 1340.1374 004C 11:49:32.767   Enter GetCredentialsFunctInternal
dcpromoui 1340.1374 004D 11:49:32.767     Enter ShouldSkipCredentialsPage
dcpromoui 1340.1374 004E 11:49:32.767       Enter State::GetOperation REPLICA
dcpromoui 1340.1374 004F 11:49:32.767     using empty user domain name
dcpromoui 1340.1374 0050 11:49:32.767     Enter State::GetOperation REPLICA
dcpromoui 1340.1374 0051 11:49:32.771     Enter GetForestName farmaciachavez.local
dcpromoui 1340.1374 0052 11:49:32.771       Enter MyDsGetDcName
dcpromoui 1340.1374 0053 11:49:32.771         Enter MyDsGetDcName2
dcpromoui 1340.1374 0054 11:49:32.771           Calling DsGetDcName
dcpromoui 1340.1374 0055 11:49:32.771           ComputerName : (null)
dcpromoui 1340.1374 0056 11:49:32.771           DomainName   : farmaciachavez.local
dcpromoui 1340.1374 0057 11:49:32.771           DomainGuid   : (null)
dcpromoui 1340.1374 0058 11:49:32.771           SiteName     : (null)
dcpromoui 1340.1374 0059 11:49:32.771           Flags        : 0x40000000
dcpromoui 1340.1374 005A 11:49:32.772           HRESULT = 0x00000000
dcpromoui 1340.1374 005B 11:49:32.772           DomainControllerName    : \\PDCSVRFCH.farmaciachavez.local
dcpromoui 1340.1374 005C 11:49:32.772           DomainControllerAddress : \\192.168.0.16
dcpromoui 1340.1374 005D 11:49:32.772           DomainGuid              : {7861FD9E-4A7E-4B4C-9A40-79EE5406035C}
dcpromoui 1340.1374 005E 11:49:32.772           DomainName              : farmaciachavez.local
dcpromoui 1340.1374 005F 11:49:32.772           DnsForestName           : farmaciachavez.local
dcpromoui 1340.1374 0060 11:49:32.772           Flags                   : 0xE000F3FD:
dcpromoui 1340.1374 0061 11:49:32.772           DcSiteName              : Default-First-Site-Name
dcpromoui 1340.1374 0062 11:49:32.772           ClientSiteName          : Default-First-Site-Name
dcpromoui 1340.1374 0063 11:49:32.772     using forest name farmaciachavez.local
dcpromoui 1340.1374 0064 11:49:32.772     Enter State::GetOperation REPLICA
dcpromoui 1340.1374 0065 11:49:32.772     Enter State::SetForestName farmaciachavez.local
dcpromoui 1340.1374 0066 11:49:32.773     Enter State::SetTargetDomainName farmaciachavez.local
dcpromoui 1340.1374 0067 11:49:32.773     Enter CheckUserIsLocal
dcpromoui 1340.1374 0068 11:49:32.773     Enter State::GetOperation REPLICA
dcpromoui 1340.1374 0069 11:49:32.773     Enter State::ReadDomains
dcpromoui 1340.1374 006A 11:49:32.773       Enter State::GetTargetDomainName
dcpromoui 1340.1374 006B 11:49:32.773         Enter State::GetOperation REPLICA
dcpromoui 1340.1374 006C 11:49:32.773         target domain name: farmaciachavez.local
dcpromoui 1340.1374 006D 11:49:32.773       Enter CDomains::ReadDomains
dcpromoui 1340.1374 006E 11:49:32.773         Enter MyDsEnumerateDomainTrusts
dcpromoui 1340.1374 006F 11:49:32.773           Enter GetDcName
dcpromoui 1340.1374 0070 11:49:32.773             Enter GetDcName2
dcpromoui 1340.1374 0071 11:49:32.773               Enter MyDsGetDcName2
dcpromoui 1340.1374 0072 11:49:32.773                 Calling DsGetDcName
dcpromoui 1340.1374 0073 11:49:32.773                 ComputerName : (null)
dcpromoui 1340.1374 0074 11:49:32.773                 DomainName   : farmaciachavez.local
dcpromoui 1340.1374 0075 11:49:32.773                 DomainGuid   : (null)
dcpromoui 1340.1374 0076 11:49:32.773                 SiteName     : (null)
dcpromoui 1340.1374 0077 11:49:32.773                 Flags        : 0x40000011
dcpromoui 1340.1374 0078 11:49:32.879                 HRESULT = 0x00000000
dcpromoui 1340.1374 0079 11:49:32.879                 DomainControllerName    : \\SVRCBBDCFCH.farmaciachavez.local
dcpromoui 1340.1374 007A 11:49:32.879                 DomainControllerAddress : \\192.168.19.35
dcpromoui 1340.1374 007B 11:49:32.879                 DomainGuid              : {7861FD9E-4A7E-4B4C-9A40-79EE5406035C}
dcpromoui 1340.1374 007C 11:49:32.879                 DomainName              : farmaciachavez.local
dcpromoui 1340.1374 007D 11:49:32.879                 DnsForestName           : farmaciachavez.local
dcpromoui 1340.1374 007E 11:49:32.879                 Flags                   : 0xE000F1FC:
dcpromoui 1340.1374 007F 11:49:32.879                 DcSiteName              : Default-First-Site-Name
dcpromoui 1340.1374 0080 11:49:32.879                 ClientSiteName          : Default-First-Site-Name
dcpromoui 1340.1374 0081 11:49:32.879               Enter Computer::RemoveLeadingBackslashes \\SVRCBBDCFCH.farmaciachavez.local
dcpromoui 1340.1374 0082 11:49:32.879               SVRCBBDCFCH.farmaciachavez.local
dcpromoui 1340.1374 0083 11:49:32.879           Enter AutoWNetConnection::Init
dcpromoui 1340.1374 0084 11:49:32.879             Enter AutoWNetConnection::CloseExistingConnection
dcpromoui 1340.1374 0085 11:49:32.879             The current user security context is being used therefore there is no need to establish a connection.
dcpromoui 1340.1374 0086 11:49:32.879             HRESULT = 0x00000000
dcpromoui 1340.1374 0087 11:49:54.894           NetStatus = 1722
dcpromoui 1340.1374 0088 11:49:54.894           Enter AutoWNetConnection::CloseExistingConnection
dcpromoui 1340.1374 0089 11:49:54.894           HRESULT = 0x800706BA
dcpromoui 1340.1374 008A 11:49:54.894         HRESULT = 0x800706BA
dcpromoui 1340.1374 008B 11:49:54.894         HRESULT = 0x800706BA
dcpromoui 1340.1374 008C 11:49:54.894     failed trying to read domains, returned 0x800706BA
dcpromoui 1340.1374 008D 11:49:54.897     Enter GetErrorMessage 800706BA
dcpromoui 1340.1374 008E 11:49:54.897   GetExistingAccountForComputerInReplicaDomain error message: The wizard cannot gain access to the list of domains in the forest.

This condition may be caused by a DNS lookup problem. For information about troubleshooting common DNS lookup problems, please see the following Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=5171

The error is:
The RPC server is unavailable.

dcpromoui 1340.1374 008F 11:49:54.898   Test Failed
dcpromoui 1340.1374 0090 11:49:54.898   GetExistingAccountForComputerInReplicaDomain returns exit code: 26
dcpromoui 1340.1374 0091 11:49:54.898   END TEST: GetExistingAccountForComputerInReplicaDomain
dcpromoui 1340.1374 0092 11:49:54.898   Enter State::UnbindFromReplicationPartnetDC

Thanks in advance

Good morning,

First off let me fill you in on my environment.  I manage the windows environment for Pre-K through 12th grade public education.  For some reason some of our clients are getting the wrong logonserver which when this happens always ends up being the Pre-K domain server.  All of our other DCs/Sites are connected across town by 10gig fiber backbone, yet this one is connected through a 1 to 1 nat slow internet connection...yet the few times this happens and the LOGONSERVER is incorrectly selected it's ALWAYS this site.

I'll show you our site links / costs / replication Intervals if that helps...but I'm at a loss from staring at this too long and sure I'm overlooking something obvious.

Any Input/Suggestions are greatly appreciated!

Thank you!

I need to create a domain trust across two different domains, the issue is that I have servers with the same names on the two domains that I need to trust. I'll explain. Domain A with server name CARS and Domain B with server name CARS. However these servers have different IPs and belong to different networks connected via a VPN link? My questions:

Possible problems?

Is it feasible without having to rename the servers? To many users and shares to redo 

Any advise will be appreciated. 

Hello,  I accidentally add a few accounts with their uid numbers in the 500M when it should have been 50M.  Of course this has created a few headaches with some linux clients which I managed to change their UID numbers.  Now whenever I add a new account the UID sequence to the next number in the 500M range,  is there an option in Active Directory which will allow me to change the UID start number to the 50M range?

Any help is appreciated.

LouB