Hello there

So for a while now we have been using the "managed by" tab in Active Directory to keep track of who owns what computer.

Now the problem is that if we know which pc we want to find the user for its easy, but the other way around(User->pc) we have been using powershell to find, this is a bit of a hurdle and would be nice to just integrate in AD. So my question is: is there a way to add a tab on a user that has a list of pc's owned by that user (some have multiple pc's). In the same way the "member of" tab works.

Thanks in advance

Albert

What's the best way to migrate 100+ ACL from one AD to another AD not in the same domain?

My employer purchased another company and need to migrate ACL running on AD Windows Server 2012 R2 to AD running Windows Server 2016R2? 

I do need to rename the ACLs from Win Server 2012 to new naming convention. 

Hello Microsoft Community,

I had this error before and after performing D2/D4 to recreate Sysvol and Netlogon folders.

https://social.technet.microsoft.com/Forums/office/cs-CZ/8f38bdaa-28d8-4546-b6b4-45f4a31dbd8d/3-replication-errors-after-performing-d2d4?forum=ws2016

I managed to recreate the folders but unfortunately the 1864 error kept accuring every 24hrs

Also I tried:

https://social.technet.microsoft.com/Forums/windows/en-US/068065fa-bfe4-452c-bd3b-aa2055a99b12/broken-dns-delegation?forum=winserverNIS

 It did not help me..

List of tests that I was advised to do:

I don't really know what to do, so if anyone may give me any directions it will be awesome.

Hello,

linux users use Active Directory for authentication and use samba server to get own profile.

1. User enter AD credentials on Linux-PC-01

2. AD approving and allow enter to computer. User getting kerberos ticket.

3. Then on this PC internal service try connect to  samba and ask access to profile

4. Samba validate user through AD

5. AD approve and user start mount and copy profile

The problem begins i user logon on other computer Linux-PC-02. He pass authentication successful (steps 1-3), then try mount profile. Samba ask AD and ADSOME TIME answer, - "Do not trust for this user". As a result samba deny access to profile, and user have local (temp) profile.

After few hours, if re-try mount profile the problem is not arises.

P.S. In organization two domains, in each domain own samba and client. In A domain there no problems, but in new domain B the problem is present. Some thin options  are present in "A" AD domain (previous administrator configure it), but this options are lost in "B" domain.

Hello!

o/s: Windows Server 2016 Std

Hello,

Our company has 4 Domain Controllers, 2 in each Datacenter. They've failed over to the secondary cutting off the 2 DC's in the primary site, one of which had all the FSMO Roles. 

So my question is,

With this excercise lasting for a few days, should we have the DC's in the second site seize the FSMO Roles?

And if seized, when the primary comes online will it automatically be moved back to the original Primary server? 

Thanks 

Hi Team,

 I am using one of the AD account for services, which i have to validate from which services are using that ad account.

I tried with Powershell script not able to find out where it is get authenticated.

Kindly help out me with any script.

This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing! http://sesaitech.blogspot.in/

Hello,

I did a migration of users and computers from old domain to totally different new domain.I was able to transfer the users on their end pcs on the same network as the new AD.But when i try to join computers on a different subnet by creating a new password for the users . I get this error.

Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied.

i have disabled firewall but no success

MCP

Hi all,

I have two On-Prem Exchange environments; the legacy Exchange 2007 SP3 RU 16 (empty databases, no PF), and our Production Exchange 2013 CU22 infrastructure, which holds 1,400 mailboxes.  We need to retire the legacy, empty Exchange 2007 SP3 RU16 only.  We are keeping the Hybrid infrastructure for the foreseeable future, as we're moving to Exch Online in 4Q.<o:p></o:p>

 <o:p></o:p>

Since we need to retire only the legacy Exchange 2007 SP3 RU 16 infrastructure, and our current AD structure is a mix of Windows 2012 R2 and Windows 2019 Datacenter with aFFL/DFL Windows 2012 R2, will it be possible to uninstall the legacy Exchange 2007 SP3 RU 16 infrastructure if we lower the FFL/DFL to Windows 2008R2?  <o:p></o:p>

Also if anybody has a list of any known issues or caveats to lowering the FFL/DFL from Win2012R2 to Win2008R2, that would be helpful?<o:p></o:p>

Hi guys,

Today All my Domain Controller Server could not connect to Active Directory domain service.

It show:

Naming information cannot be located because:
The specified domain either does not exist or could not be contacted.
Contact your system administrator to verify that your domain is properly configured and is currently online.

But DNS Service is running property.

I have tried many ways to fix it but no luck.

Please help me to resolve this issue.

Thanks you.

Here is a scenario:

1. User accounts are in a user domain. let's call it USERDOM1
2. Multiple SQL Server instances are installed in a server domain.  Let's call it SERVERDOM1. 
3. Multiple SQL Server instances are also installed in yet another server domain.  Let's call this one SERVERDOM2.
4. All 3 domains have full trust enabled to each other.
5. All 3 domains are at domain functional level for Windows 2012 R2.  And no domain controllers below Window 2012 R2 exist in the 3 domains.
6. Using Resource-Based Kerberos constrained delegation (RBKCD) configuration users logged in from USERDOM1 can connect to SQL Servers in SERVERDOM1 and double hop fine with delegation to any other SQL Server in SERVERDOM1 as long as their accounts have rights to the other linked servers.
7. However user can't double hop to linked server on SERVERDOM1 going to SERVERDOM2 because we seem to now be involving 3 domains.
8. If we login from a test user account created in SERVERDOM1 then the double hop with RBKCD to SERVERDOM2 works fine.

So here is my question:

Is there anyway to configure delegation (short of permitting unconstrained delegation) where the 3 domain scenario that I am describing will work?  Or is that just plain not supported?

Hello everyone,

I am currently experiencing issues with a domain controller I recently installed. 
Setup is as follows: 1 DC 2008 R2 / 1 DC 2008(virtual) / 1 DC 2003 R2 in the same domain. All of these servers are running DNS.
We also have a trust with another domain, but this I think is not relevant.

The idea is to demote the 2003 R2 one and replace it with the DC2008 R2. The DC2008R2 is a global catalog(as is the other domain controllers)I moved over all the FSMO roles to the new domain controller(dc2008r2), which succeeded. 
I want to be able to boot this new server so it does not have to rely on  the other domain controllers to work. This is because my other DC's are clustered and rely on DNS to boot.

Every time I boot the new server it logs a few events, I think this is because the server itself is DNS, and that service does not want to start unless theres a 2nd DNS server present. As a matter of fact for some reason only the DC2008 (virtual) is the only server that is able to boot on its own with a functioning DNS service.

EventID 1126

Active Directory Domain Services was unable to establish a connection with the global catalog. 

Additional Data 

Error value:

1355 The specified domain either does not exist or could not be contacted. 

Internal ID:

3200e25 

User Action: 

Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.

Event ID 2088

Active Directory Domain Services could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory Domain Services successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller. 

Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory Domain Services forest, including logon authentication or access to network resources. 

You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS. 

Alternate server name: 

This event logs twice, one for each domain controller.

dcdiag of the new server:

Directory Server Diagnosis

Performing initial setup:

   Trying to find home server...

   Home Server = contoso-DC-L02

   * Identified AD Forest. 

   Done gathering initial info.

Doing initial required tests

   Testing server: contoso\contoso-DC-L02

      Starting test: Connectivity

         ......................... contoso-DC-L02 passed test Connectivity

Doing primary test

   Testing server: contoso\contoso-DC-L02

      Starting test: Advertising

         ......................... contoso-DC-L02 passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems. 

         ......................... contoso-DC-L02 passed test FrsEvent

      Starting test: DFSREvent

         ......................... contoso-DC-L02 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... contoso-DC-L02 passed test SysVolCheck

      Starting test: KccEvent

         A warning event occurred.  EventID: 0x80000B46

            Time Generated: 06/16/2011   14:54:00

            Event String:

            The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server. 

         A warning event occurred.  EventID: 0x80000828

            Time Generated: 06/16/2011   14:54:05

            Event String:

            Active Directory Domain Services could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory Domain Services successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller. 

         A warning event occurred.  EventID: 0x80000828

            Time Generated: 06/16/2011   14:54:13

            Event String:

            Active Directory Domain Services could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory Domain Services successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller. 

         A warning event occurred.  EventID: 0x8000082C

            Time Generated: 06/16/2011   14:55:00

            Event String: 

         A warning event occurred.  EventID: 0x80000828

            Time Generated: 06/16/2011   14:55:16

            Event String:

            Active Directory Domain Services could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory Domain Services successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller. 

         An error event occurred.  EventID: 0xC0000466

            Time Generated: 06/16/2011   14:56:16

            Event String:

            Active Directory Domain Services was unable to establish a connection with the global catalog. 

         ......................... contoso-DC-L02 failed test KccEvent

      Starting test: KnowsOfRoleHolders

        ......................... contoso-DC-L02 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... contoso-DC-L02 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... contoso-DC-L02 passed test NCSecDesc

      Starting test: NetLogons

         ......................... contoso-DC-L02 passed test NetLogons

      Starting test: ObjectsReplicated

        ......................... contoso-DC-L02 passed test ObjectsReplicated

      Starting test: Replications

         [Replications Check,contoso-DC-L02] A recent replication attempt failed:

            From contoso-DC-01 to contoso-DC-L02

            Naming Context: CN=Configuration,DC=contoso,DC=be

            The replication generated an error (1908):

            Could not find the domain controller for this domain.

            The failure occurred at 2011-06-16 14:56:42.

            The last success occurred at 2011-06-16 14:14:45.

            1 failures have occurred since the last success.

           Kerberos Error.

            A KDC was not found to authenticate the call.

            Check that sufficient domain controllers are available.

         ......................... contoso-DC-L02 failed test Replications

      Starting test: RidManager

         ......................... contoso-DC-L02 passed test RidManager

      Starting test: Services

         ......................... contoso-DC-L02 passed test Services

      Starting test: SystemLog

        A warning event occurred.  EventID: 0x0000A000

            Time Generated: 06/16/2011   14:14:46

            Event String:

            The Security System detected an authentication error for the server ldap/contoso-DC-L02.contoso.be. The failure code from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon service was not started.

         A warning event occurred.  EventID: 0x0000A000

            Time Generated: 06/16/2011   14:14:49

            Event String:

            The Security System detected an authentication error for the server ldap/contoso-DC-L02.contoso.be/contoso.be@contoso.BE. The failure code from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon service was not started.

         A warning event occurred.  EventID: 0x0000A000

            Time Generated: 06/16/2011   14:14:50

            Event String:

            The Security System detected an authentication error for the server LDAP/contoso-DC-L02. The failure code from authentication protocol Kerberos was "An attempt was made to logon, but the netlogon service was not started.

         A warning event occurred.  EventID: 0x00002724

            Time Generated: 06/16/2011   14:14:51

            Event String:

            This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

         A warning event occurred.  EventID: 0x000727AA

            Time Generated: 06/16/2011   14:16:53

            Event String:

            The WinRM service failed to create the following SPNs: WSMAN/contoso-DC-L02.contoso.be; WSMAN/contoso-DC-L02. 

         An error event occurred.  EventID: 0x00000457

            Time Generated: 06/16/2011   14:17:06

            Event String:

            DCOM was unable to communicate with the computer 8.8.4.4 using any of the configured protocols.

         An error event occurred.  EventID: 0xC0002719

            Time Generated: 06/16/2011   14:44:45

            Event String:

            DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols.

         An error event occurred.  EventID: 0x0000041F

            Time Generated: 06/16/2011   14:54:12

            Event String:

            The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: 

         An error event occurred.  EventID: 0xC00038D6

            Time Generated: 06/16/2011   14:54:29

            Event String:

            The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 06/16/2011   14:54:28

            Event String:

            Name resolution for the name 719c13d8-c910-44ef-9a98-06d5242d040f._msdcs.contoso.be timed out after none of the configured DNS servers responded.

         A warning event occurred.  EventID: 0x00002724

            Time Generated: 06/16/2011   14:54:33

            Event String:

            This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.

         An error event occurred.  EventID: 0xC00038D6

            Time Generated: 06/16/2011   14:54:56

            Event String

            The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

         An error event occurred.  EventID: 0x00000423

            Time Generated: 06/16/2011   14:54:59

            Event String:

            The DHCP service failed to see a directory server for authorization.

         An error event occurred.  EventID: 0x00000423

            Time Generated: 06/16/2011   14:55:13

            Event String:

            The DHCP service failed to see a directory server for authorization.

         A warning event occurred.  EventID: 0x0000000C

            Time Generated: 06/16/2011   14:55:16

            Event String:

            Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

       An error event occurred.  EventID: 0xC00038D6

            Time Generated: 06/16/2011   14:55:23

            Event String:

            The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 06/16/2011   14:55:40

            Event String:

            Name resolution for the name contoso.be timed out after none of the configured DNS servers responded.

         An error event occurred.  EventID: 0xC00038D6

            Time Generated: 06/16/2011   14:55:50

            Event String:

            The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

         An error event occurred.  EventID: 0xC00A0038

            Time Generated: 06/16/2011   14:56:02

            Event String:

            The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: 10.192.0.87.

         An error event occurred.  EventID: 0xC00038D6

            Time Generated: 06/16/2011   14:56:17

            Event String:

            The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

         An error event occurred.  EventID: 0x00000469

            Time Generated: 06/16/2011   14:56:32

            Event String:

            The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 06/16/2011   14:56:36

            Event String:

           An error event occurred.  EventID: 0xC00038D6

            Time Generated: 06/16/2011   14:56:44

            Event String:

            The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

         An error event occurred.  EventID: 0xC00038D6

            Time Generated: 06/16/2011   14:57:11

           Event String:

            The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 06/16/2011   14:57:16

            Event String:

            Name resolution for the name 1.0.0.127.in-addr.arpa timed out after none of the configured DNS servers responded.

         A warning event occurred.  EventID: 0x00001695

            Time Generated: 06/16/2011   14:57:29

            Event String:

            Dynamic registration or deletion of one or more DNS records associated with DNS domain 'contoso.be.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).  

         A warning event occurred.  EventID: 0x00001695

            Time Generated: 06/16/2011   14:57:29

            Event String:

           Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.contoso.be.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).  

         A warning event occurred.  EventID: 0x000727AA

            Time Generated: 06/16/2011   14:57:30

            Event String:

            The WinRM service failed to create the following SPNs: WSMAN/contoso-DC-L02.contoso.be; WSMAN/contoso-DC-L02. 

        ......................... contoso-DC-L02 failed test SystemLog

      Starting test: VerifyReferences

         ......................... contoso-DC-L02 passed test VerifyReferences

   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : contoso

      Starting test: CheckSDRefDom

         ......................... contoso passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... contoso passed test CrossRefValidation

  Running enterprise tests on : contoso.be

      Starting test: LocatorCheck

         ......................... contoso.be passed test LocatorCheck

      Starting test: Intersite

         ......................... contoso.be passed test Intersite

The server does boot properly (however logs the above events) when DC2008(virtual) is specified as the secondary DNS. Otherwise I am unable to start the server. 

Problem is because DC2008(virtual) is a clustered server it cannot start until DNS has become available.
Anyone have any idea why DC2008(virtual) is the only server that is able to start DNS by itself?

Any help would be appreciated.
Kind regards,

Jasper 

My current setup is as follows

Server 1 - AD DS, DNS, DHCP and File Server 2019, All FSMO role holder

Server 2 - AD DS, DNS and Adconnect for office 365 sync

Server 1 ip configuration : 192.168.5.2, 255.255.255.0 , 192.168.5.1  DNS servers: Primary: 192.168.5.3 Secondary 192.168.5.2

Server 2 IP configuration : 192.168.5.3, 255.255.255.0 , 192.168.5.1  DNS servers: Primary: 192.168.5.2 Secondary 192.168.5.3

It is setup as Active Directory Integrated Zone and have checked with repladmin and all test successful.

However over the last three days I am having users complaining about slow web page load up times and most of the time they get a insecure prompt page althought the websites are secure.

I checked the forwarders and root hints and all are up to date but when I try to resolve on Server 1 it takes around 20 secs or so to resolve but some come with timeout error occurred. However on Server 2 which the forwarders and root hints resolve immediately without any time out issues.

I have tried all the dns dcdiag test to see if there are any failures but nothing that shows of issues with DNS. 

Any advice would be really appreciated. 

Hi All

I have a question on Microsoft Active Directory Certificate Services.

Recently I tried setting up a test environment with 3 domains in a forest. 1 Parent Domain with 2 Child.

However when I tried to set up an Enterprise CA at the child domain, I have difficulty starting the service.

The error is that after I installed the signed certificate to the CA, when trying to start the service, it said that I have missing certificate followed by the certificate installed is not the latest generated request. I tried to generate the request again but was unable to.

The issue does not arise when i install the Enterprise CA at the Parent Domain.

I have done some researched online. It said that Enterprise CA is designed to be a forest wide service. Does this mean that I can only install the service at the parent domain and give permission to the child domain to request the certificate or is there a way to install an Enterprise CA at the child domain? If there is some pre-requites before I can install the Enterprise CA at the child domain can you let me know?

Also can someone enlighten me if I can have enterprise CA in two different tree within the same forest.

Appreciate the help provided

Hi

We are looking for a way to change the case of SAM account name of all AD users from small to capital. 

Thanks in advance

LMS

hi all,

today tI found that replication was not occuring because of one of the objects can not be updates 

as follow

ctive Directory Domain Services could not update the following object with changes received from the following source directory service. This is because an error occurred during the application of the changes to Active Directory Domain Services on the directory service. 

Object:
CN=M M,OU=Users,OU=HD,OU=Technical Support,OU=Users,DC=mydoamin,DC=local

Synchronization of the directory service with the source directory service is blocked until this update problem is corrected. 

This operation will be tried again at the next scheduled replication.

so I fix this solution making a defragment of the ntds database .but after that i run dcdiag and found 

this warning in KCC what should I do about it 

        Event String:
            The security of this directory server can be significantly enhanced
by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest)
 LDAP binds that do not request signing (integrity verification) and LDAP simple
 binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  E
ven if no clients are using such binds, configuring the server to reject them wi
ll improve the security of this server.

We have 60 domain domain controller's , one of the domain controller is having issues and the FRS is having trouble enabling replication from the target A domain controller to sourceB domain controller 

Event ID is 13508 

We have trouble shooted with the below steps, but unable to get the solution.

Ran the FRS DIAG and unable to find any solutions. 

SK

I am getting the below error in Exchange 2013 and the error pointing to one of the orphaned DC. But the server is not a DC anymore and still it's pointing to that DC. Is there any way to cleanup these DC from AD Database?

Error Details: