Hi Team,

I am migrating user from my old infra to new infra having shared folder access.

Migration process:-

1) Migrating groups

2) Migrating user

after above steps done successfully users are not able to access shared folder from my old infra with new infra user account.

I am seeing under shared folder having some child folders with different permission with different-different group. Exp:-  folder permission assigned on groups and it is showing like "olddomain\Prod-Data Folder-RW

My question is this how we can changed from "olddomain\Prod-Data Folder-RW group to newdomain\Prod-Data Folder-RW

Or is there any other way where we can fix this issue.

Thanks in advance

Thanks Devendra B2-Consulate(Capgemini)

Hi,

I had 2 DC 2008R2 were DFS namespace SERVER

These 2 DCs have been replaced by new 2016 DCs but the DFS namespace server roles has not been installed.

Now my DFS namespace are not reachable, i tried to install dfs namespace role on my new DCs, i can see my name spaces but when i add it to the DFS management snap in i can't browse.

I can see my namespace in ADSIedit

Dear everyone.

Why we can't change Zone dynamic update option ? We are using Active directory integrated. 

Thanks. 

Hi,

I want to secure my DC so planning to remove "Everyone" group from "Access this computer from the network" DC  policy.

Any impact I have to face and I do not have any shared folder created in DC.

Please assist.

I had one AD running on a Windows Server 2016. It had all the roles, running DNS and DHCP. I created a new Windows 2019 Server, added AD and moved the roles over to it. I exported/imported DHCP settings to the 2019 server and shut DHCP off on 2016. 2019 now has all of the roles DNS and DHCP. 2016 still has AD and DNS, but all clients and servers are pointed to 2019 for Primary DNS and 2016 as Secondary DNS. 

In the past, I could bring down either DC (2016 or 2019) and have my Domain operational. I had a hacker get on a client computer and my 2016 DC started showing signs of problems with a constant CPU usage of 89-99%. I turn the NIC off and usage goes back to normal (I'm not asking for help with the hacker), but with that DC down, my network is down, meaning clients can't see servers. It seemed to me like a DNS problem, so I took the Secondary DNS (2016 server that is down) off all Servers and Clients. I rebooted all servers and clients, but none see the 2019 DC unless I turn on the NIC for the 2016 (hacked server). I want to remove that server completely, but the 2019 DC holding all of the roles, DNS and DHCP doesn't work without the 2016 DC. What am I missing?  

Hi!

I need to make some changes in DisplaySpecifiers, but I need to make them both in 409 and 419 threads to make it visible in russian version ADUC.

So what should I do if there is only CN=409 (USA) and CN=C04 (Chinese_HongKong) in ADSI DisplaySpecifiers?

I also need CN=419 (Russian) locale thread, but this one is missing.

There is already existed infrastructure with 2008R2 domain/forest level with 2008R2/2012R2 Domain Controllers.

All of Domain Controllers are russian edition, so they're already have installed russian language pack and it exists in

HKLM\SYSTEM\CurrentControlSet\Control\ContentIndex\Language



Russian is also set as default system language, all MMC's displays correctly in it.

How can I import or install that locale to my ADSI?

Or is it only way to have it - manually create CN419 container with all its attributes and properties?

Hello

I want the add the EmployeeID attribute (which is already definded in the Schema) to the list of attributes displayed when looking at a user object in active directory users and computers 

I have the documentation explaining how to do this using an example from the en-US code page e.g. 409 however I am in the UK and therefore using the 809 code page.

When I use ADSIEdit.msc then bind to the Configuration Naming Context > open DisplaySpecifiers I see a list of CN=xxx where xxx is the code page number (in hex) e.g. 409 for the US but I do not see 809 for the UK despite the fact the Server is using the UK language and keyboard layout and all is working fine from that respect, therefore I was expecting to see the 809 CN=809 however it goes from 804 then the next one is 816

I came across and old blog post for Windows 2000 (I am on Windows 2012 R2) which stated you  can create the container for 809 e.g. New > Container > name = 809 which does create a CN=809 container but the container is empty and the others like CN=409 contain many many objects (of DisplaySpecifier class) 

So my questions are as follow please

1) Should the CN=809 not be there when I have set the language and keyboard etc to en-GB 

2) If the container CN=809 is missing (as in this case) is there a way to automatically create and populate it (or at least automatically populate it) as at the moment I am not sure how to create the relevant objects under a blank container and in any event this would appear to be time consuming (unless there is a script)

Any advise, most welcome

Thanks

__AAnotherUser

AAnotherUser__

Hello,

I have several Windows Servers (2012 R2), one of them has the role of Domain Controller (and certification authority).
All the servers are in the same domain and have certificates from the CA hosted on the DC.
However I am not able to use Windows authentication for some application. It works with NTLM, but when using Kerberos it throws the following exception :

Unexpected exception in ObtainTokenAsync

-------- Exception ----------------
System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The function requested is not supported

This is from the application logs. I've searched a lot but none of the solutions found online fix my issue.
There is no error in the Kerberos logs on the DC (as far as I can see), so I really don't know what to look for.

Any help will be greatly appreciated!

I have migrated the all the roles from the PDC on a 2012 datacenter to 2019 datacenter server successfully. 

However I tried to demote the server by powershell and using server manager and it seems... toasted. 

Powershell - i tried to force this too... same issue.

Uninstall-ADDSDomainController : Verification of prerequisites for Domain Controller promotion failed. Failed to
detect component binaries.
At line:1 char:1
+ Uninstall-ADDSDomainController -DemoteOperationMasterRole -RemoveApplicationPart ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Uninstall-ADDSDomainController], TestFailedException
    + FullyQualifiedErrorId : Test.VerifyDcPromoCore.DCPromo.General.64,Microsoft.DirectoryServices.Deployment.PowerSh
   ell.Commands.UninstallADDSDomainCommand

dcpromoui.log 

cpromoui C80.F5C 086A 20:23:15.039         Enter RegistryKey::GetValue-DWORD GCByDefault
dcpromoui C80.F5C 086B 20:23:15.039         HRESULT = 0x80070002
dcpromoui C80.F5C 086C 20:23:15.039         result = true
dcpromoui C80.F5C 086D 20:23:15.039       result = true
dcpromoui C80.F5C 086E 20:23:15.039     Enter ReadAllowIscsiFlag
dcpromoui C80.F5C 086F 20:23:15.039       Enter GetConfigFlag AllowIscsi
dcpromoui C80.F5C 0870 20:23:15.039         Enter RegistryKey::Open Software\Microsoft\Windows\CurrentVersion\AdminDebug\dcpromoui
dcpromoui C80.F5C 0871 20:23:15.039         Enter RegistryKey::GetValue-DWORD AllowIscsi
dcpromoui C80.F5C 0872 20:23:15.039         HRESULT = 0x80070002
dcpromoui C80.F5C 0873 20:23:15.039         result = true
dcpromoui C80.F5C 0874 20:23:15.039       result = false
dcpromoui C80.F5C 0875 20:23:15.039     Enter SetEncryptedAnswerFileOption AdministratorPassword
dcpromoui C80.F5C 0876 20:23:15.039       Enter AnswerFile::SetEncryptedOption AdministratorPassword
dcpromoui C80.F5C 0877 20:23:15.039     Enter ValidateAnswerFile
dcpromoui C80.F5C 0878 20:23:15.039       Enter AnswerFile::Validate
dcpromoui C80.F5C 0879 20:23:15.039     Enter State::GetUnclearedAnswerFilePasswords
dcpromoui C80.F5C 087A 20:23:15.039     Enter State::GetUnclearedAnswerFilePasswordReaons
dcpromoui C80.F5C 087B 20:23:15.039     Enter State::GetValidationWarnings
dcpromoui C80.F5C 087C 20:23:15.039     Info: Active Directory Domain Services Setup

dcpromoui C80.F5C 087D 20:23:15.039     Enter Start
dcpromoui C80.F5C 087E 20:23:15.039       Info: Validating environment and parameters...
dcpromoui C80.F5C 087F 20:23:15.039       Enter InitFunct
dcpromoui C80.F5C 0880 20:23:15.039         Enter State::GetMode NORMAL
dcpromoui C80.F5C 0881 20:23:15.039         Enter CbsGetUpdateInstallState
dcpromoui C80.F5C 0882 20:23:15.039           The category is 0
dcpromoui C80.F5C 0883 20:23:15.039           Enter FindRoleInfo
dcpromoui C80.F5C 0884 20:23:15.039             Enter CheckIsServerCore
dcpromoui C80.F5C 0885 20:23:15.039               It is not on server foundation
dcpromoui C80.F5C 0886 20:23:15.039               HRESULT = 0x00000000
dcpromoui C80.F5C 0887 20:23:15.039           Enter GetUpdateName
dcpromoui C80.F5C 0888 20:23:15.039           Enter GetPackageName
dcpromoui C80.F5C 0889 20:23:15.054             Unable to find identity string for package name Microsoft-Windows-ServerCore-Package
dcpromoui C80.F5C 088A 20:23:15.054           Failed to retrieve the parent package name
dcpromoui C80.F5C 088B 20:23:15.054           HRESULT = 0x80070002
dcpromoui C80.F5C 088C 20:23:15.054           HRESULT = 0x80070002
dcpromoui C80.F5C 088D 20:23:15.054       performed state 1, next state 37
dcpromoui C80.F5C 088E 20:23:15.054       Error: Failed to detect component binaries.
dcpromoui C80.F5C 088F 20:23:15.054       Enter State::GetHadNonCriticalFailures
dcpromoui C80.F5C 0890 20:23:15.054         bHadNonCriticalFailures = false
dcpromoui C80.F5C 0891 20:23:15.054     Enter State::UnbindFromReplicationPartnetDC
dcpromoui C80.F5C 0892 20:23:15.054     Exit code is 64
dcpromoui C80.F5C 0893 20:23:15.054   Exit code is 64
dcpromoui 974.13C 044E 20:46:25.201 closing log

64=install ad services????

I tried via the gui... 

I cannot get past the server selection window as I cannot select the server (that I am logged into)

Error message.......

The request to list features available on the specified server failed.
Unable to obtain the feature list.
The specified package is not valid Windows package. Error: 0x800f0805

Welcome to my world!!!!!!!!!!!!

darren hitchen

Hello Tech Masters,

Hope everyone is having a great day. 

I am investigating an Active Directory issue in Windows 2008 R2 domain. 

The environment is single 2008 R2 forest with 3 2008 R2 domains. Each domain has at least 3 2008 R2 domain controllers. 

My goal is to promote both the forest and domains to 2016 functional level.

I am replacing all 2008 R2 and 2012 R2 domain controllers by building new 2016 domain controllers. 

Issue: Browsing any of the 3 domains by domain name \\domain.local works if domain.local is pointing to specific domain controller (old PDC DC). This is happens in all 3 domains. Otherwise, it will error out "Windows cannot access \\domain.local.  

The issue is global to all computers in the 3 domains. 

I can ping all 3 domains by name successfully. 

I am able to navigate directly to any domain controller shares (Netlogon and Sysvol) using FGDN (ex: dc01.domain.local). 

Domain AD replication work properly in all domains. 

Group polices apply properly to users’ computers.

See attached error (screen shot).

Please share your thoughts if your thought if you have experienced same issue or you have the knowledge to help.

Thank You 

Raed

We're trying to follow the guidance provided here. On 5/14/2019 this change will be the default for new trusts and on 7/9/2019 this will be the enforced behavior and the EnableTGTDelegation setting will be ignored. We operate out of a primary domain and manage several other forests from there. After running the command below where "ourdomain.local" is our domain and "otherdomain.local" is the domain that trusts our domain we started seeing errors with Get-ADGroupMembership for groups in "otherdomain.local" when run from "ourdomain.local". Running the dsget variant of this PowerShell command works. This seems to only occur if the group contains a Foreign Security Principal (FSP). These commands are run from the same location and with the same ID. PowerShell fails and dsget works. "Authenticated Users" is a member of the "Builtin\Users" group in both domains.

netdom.exe trust ourdomain.local /domain:otherdomain.local /EnableTGTDelegation:No

PowerShell command that fails:

Get-ADGroupMember "account operators" -Server otherdomain.local

dsget variant of it that works:

dsget group "CN=account operators,CN=builtin,DC=otherdomain,DC=local" -members

Error:

Get-ADGroupMember : The server was unable to process the request due to an internal error.  For more information about
the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the<serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or
turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs.
At line:1 char:1+ Get-ADGroupMember "account operators" -Server otherdomain.local+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : NotSpecified: (account operators:ADGroup) [Get-ADGroupMember], ADException+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

Full error:

Microsoft.ActiveDirectory.Management.ADException: The server was unable to process the request
due to an internal error.  For more information about the error, either turn on
IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the<serviceDebug> configuration behavior) on the server in order to send the exception
information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK
documentation and inspect the server trace logs. ---> System.ServiceModel.FaultException: The
server was unable to process the request due to an internal error.  For more information about
the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute
or from the <serviceDebug> configuration behavior) on the server in order to send the
exception information back to the client, or turn on tracing as per the Microsoft .NET
Framework SDK documentation and inspect the server trace logs.

Server stack trace:
   at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply,
MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)
   at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation,
ProxyRpc& rpc)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway,
ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage
methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage
retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManagement.GetADGroup
Member(GetADGroupMemberRequest request)
   at
Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest
request)
   --- End of inner exception stack trace ---
   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(FaultException
faultException)
   at
Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest
request)
   at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Ma
nagement.IADAccountManagement.GetADGroupMember(ADSessionHandle handle, GetADGroupMemberRequest
request)
   at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetGroupMembers(String
partitionDN, String groupDN, Boolean recursive)
   at Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember.GetADGroupMemberProcessCSR
outine()
   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()

Hi 

I have been looking for following servers

1. Exchange servers ( Currently in exchange 2010 SP3 which supports DFL and FFL 2016)

2. CA server ( We have upgraded to 2016 server)

3. PKI server ( We have upgraded to 2016 server but i have my old server still running on 2008 R2) 

4. ADFS servers ( We have upgraded to 2016 server)

My PKI server as it has still server with 2008R2 will that support my new FFL and DFL ? 

Also please let me know if any other applications i need to consider before i raise DFL and FFL.

Hi,

In active directory I would like to ask if a user account is not logged in to a PC but is used in 3rd party apps say citrix, etc...Would that make the user account dormant?

Thanks!

Hi,

I have seen in my experience there are some AD domains have block policy inheritance enabled in the root level and domain controller OU. 

Please help me to understand the use case of GPO block policy inheritance.

Hi Microsoft team,

Confirming if the File replication service should be disabled or enabled by default? 

as for our environment I noticed once check the windows server 2012 r2, under windows services.

Do we need to enable this service? as per checking on enabling the service it displays the current error.

Screenshot:

https://imgur.com/DuqfH9y

https://imgur.com/WnjBabO

Hi,

When I do nslookup lookup for a domain from the DNS server ABC.NET, I get list of name servers

However, when a do nslookup from another Windows servers, which is configured with ABC.NET as its DNS server, the same nslookup gives a very diffrent output?

What could be the reason why I'm getting different results from same DNS server, even though Im trying from different machines.

hello,

we sync our on-premise directory to AD and enabled ADFS. and the password hash is not sync to AAD.

in this  case, we found something interesting, we joined a windows 10 to AAD. and the user able to login this AAD joine computer via their domain credential.

and if they change the password on on-premise AD, they can use the new password to login the computer. 

but as I know, AAD dont has the password hash sync, and during the windows 10 login, there not ADFS login page show up, 

how AAD know the password, how the authentication work?

thanks