Hi All,

IF you have 15,000+ Domain User and around 35 Domain Controller spread all over World.

Can you please let me know Which are the Best Practice do you follow and your experience, regarding Backup of Active Directory.

Can you please share your Good and Bad experience regarding AD Backup, which you have followed and what changes you have done to your Backup policy, if you had bad experience regarding AD Backup / AD restoration.

Param

On a 2019 server based AD with the bitlocker role installed on the DC, the recovery keys of all clients are successfully backed up to AD and visible on the "bitlocker recovery" tab in ADUC as well as in ADSIedit.

However, if I encrypt the DC itself, despite showing "the recovery key was backed up to AD successfully", the key is not backed up, it's not in ADSIedit, either, nor can it be retrieved using scripts.

This seems to be a dangerous bug, please try to reproduce this, Microsoft.

Steps to reproduce:

-install AD on server 2019

-install the BL role plus management tools

-on the DC itself, bitlock a test partition x:

manage-bde -on x: -used -pw -rp

->copy the recovery key protector ID that you see

-Afterwards, use this command to backup the key to AD

manage-bde -protectors -adbackup x: -id {84E151C1...yourID...7A62067A512}

Now verify if you can find the key backed up to AD. It won't be there.

Hi, We have noticed a issue with Server 2012's start menu in that if you click start it opens the tiles, click an app it opens however if you want to open another copy of the app so you do the same thing it doesn't open the app again. It works fine from the desktop or other locations just not the start menu. I cannot find any articles or people with the same query as me. Is this expected behavior or is it a known bug? 

I have built a brand new vanilla build server as well as existing company server and I can replicate it on all of them

Hello!

Within the last couple of weeks, I did a major overhaul of the Sites and Services on a relatively new domain within our organization. This domain had been set up by a former employee who had since left the company in the middle of the project. Since that time, several new sites had been added without all of the necessary setup actually being complete. No subnets had been created. While there were separate sites defined, all of the servers were in a single Site Link as well as being in individual site links between the primary domain controllers and each site. As a result ISTG and KCC were creating replication partnerships that were a mashup between a hub-and-spoke model and a mesh model. All authentications were being done against one single server which was not intended to be the PDC, machines were passing traffic across the country instead of to their local Domain Controller because they did not identify themselves as being a part of a site, and one of the Domain Controllers had so many errors that it tombstoned and became its own little Active Directory island. Fun times.

I've mostly untangled the knot as far as I can tell. Subnets are now created, there are Inter-site transports with two and only two sites in them linking each site to one of the two Domain Controllers in the "Tier I" headquarters site. Replication is flowing, authentication requests are going to the right place according to the networking team, and I am not having any weird problems anymore. But I do still see several errors when I run dcdiag and repadmin /showrepl.

I cleared the legacy errors out of the Event Viewer so that only new problems would show up, and everything is clear except for Directory Service on the Read Only DCs, which throw Event IDs 1311, 2904, 1865, and 1566 about every 15 minutes. The errors listed say that "The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site" followed by several of the sites in our domain. I found a similar question that said the problem was the other sites could not be reached because ports were blocked.

But... I know the sites aren't reachable from this RODC. It's at a location where the firewall rules are very restrictive, on purpose, for a reason. This domain controller is never going to be able to reach those other sites, not ever. And based on my understanding of the topology that's now been generated in the Intersite Transports, it's not supposed to, either. This server is supposed to replicate with its replication partner, which is in the hub. Why is it trying to replicate with other Spoke servers which are not its partner (and who do not have this server listed as one of their inbound replication partners)? The KB article for Event 2904 recommends going to one of the RWDCs, selecting the site, and performing a "replicate configuration to selected Domain Controller" step, which I have done and which succeeds, but it does not stop the error from occurring.

Is this something I still need to track down and try to fix, or can this safely be ignored?

Hello Tech Masters,

Hope everyone is having a great day. 

I am investigating an Active Directory issue in Windows 2008 R2 domain. 

The environment is single 2008 R2 forest with 3 2008 R2 domains. Each domain has at least 3 2008 R2 domain controllers. 

My goal is to promote both the forest and domains to 2016 functional level.

I am replacing all 2008 R2 and 2012 R2 domain controllers by building new 2016 domain controllers. 

Issue: Browsing any of the 3 domains by domain name \\domain.local works if domain.local is pointing to specific domain controller (old PDC DC). This is happens in all 3 domains. Otherwise, it will error out "Windows cannot access \\domain.local.  

The issue is global to all computers in the 3 domains. 

I can ping all 3 domains by name successfully. 

I am able to navigate directly to any domain controller shares (Netlogon and Sysvol) using FGDN (ex: dc01.domain.local). 

Domain AD replication work properly in all domains. 

Group polices apply properly to users’ computers.

See attached error (screen shot).

Please share your thoughts if your thought if you have experienced same issue or you have the knowledge to help.

Thank You 

Raed

Hello All,

I believe I understand the answer to my question but want to clarify my understanding incase it is incorrect

I have a PowerShell script which looks at the ACL on an AD object and reurns a list of rights (with the SIDs and GUIDs translated)

If ran it against the "Domain Admins" group as I wanted to see who has what rights on this object, the script returns a number of results, some of which I have listed below (and it is those I want to clarify my understanding of).

Example 1

 ActiveDirectoryRights = GenericAll

 InheritanceType = None

 ObjectType = 00000000-0000-0000-0000-000000000000

 AccessControlType = Allow

 IdentityReference = Account Operators

Quesiton 1

Taking example 1 above, I believe this means the Group (e.g. IdentityReference) 'Account Operators',  has ALL rights (e.g. GenericAll which I believe meas all rights), to ALL properties (as object type is all 000... meaning not filtered) of the specidied object (in the case the Domain Admins group) as I believe InheritanceType of None means this object only.

Is my understanding above correct?

if so this means Account Operators could for example Add or Remove Members of the Domain Admins group as they would have the Write right to the Members property of the group

Again is my understanding above correct?

Example 2

 ActiveDirectoryRights = WriteProperty

 InheritanceType = All

 ObjectType = Member

 AccessControlType = Allow

 IdentityReference =  Domain\Exchange Windows Permissions

Along the same lines as my first question, I believe Example 2 above means the Group "Exchange Windows Permissions" (it is a group I checked), can Add or Remove other groups or users to and from the Domain Admins Group as they have the WriteProperty right to the Member property on the Domain Admins group

Is my understanding above correct please?

Example 3

 ActiveDirectoryRights = WriteProperty

 InheritanceType = Decendents

 ObjectType = 00000000-0000-0000-0000-000000000000
 
 InheritedObjectType = User

 AccessControlType = Allow

 IdentityReference =  Domain\GroupA

In the case of Example 3 above, I note the InheritanceType is 'Decendents' as I am looking at the ACL on a Group object (in this case Domain Admins group), I can only assume 'Decendents refers to members of the group? (although in my mind members are contained within the group rather than decendents of the group). If this does indeed refer to Membrs of the Group then does this mean GroupA (e.g.  IdentityReference) has the right to ammend ALL properties (objectType not filtered) for all the Users in the Group e.g. MrAdminUser1 and MrsAdminUser2 .. for example.  Thinking about it is Write is allowed to All properties of the Users in this group that would also include the MemberOf  attrribute/property meaning GroupA could remove other users from the Group by amending the MemberOf attribute/property on the User,

Again is my understanding above correct,

Thanks All

AAQ

Hi.....i have an app on my client's system

that needs admin's right for starting....

 I know that i can use RunAS app but

i'm looking for another way in windows ((((10))))....also I've tried

Task Scheduler and creating shortcut but.....they didn't work 

thank a lot..:)

I have the above situation.  Googled the error and found that I would need to disable FRS on all domain controller minus the one with the journal error and one with a good copy of the sysvol.  Is demoting the DC an option, removing AD from it so its just a stand alone file server or does this error situation prevent that?

Francisco Mercado Jr.

I have migrated the all the roles from the PDC on a 2012 datacenter to 2019 datacenter server successfully. 

However I tried to demote the server by powershell and using server manager and it seems... toasted. 

Powershell - i tried to force this too... same issue.

Uninstall-ADDSDomainController : Verification of prerequisites for Domain Controller promotion failed. Failed to
detect component binaries.
At line:1 char:1
+ Uninstall-ADDSDomainController -DemoteOperationMasterRole -RemoveApplicationPart ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Uninstall-ADDSDomainController], TestFailedException
    + FullyQualifiedErrorId : Test.VerifyDcPromoCore.DCPromo.General.64,Microsoft.DirectoryServices.Deployment.PowerSh
   ell.Commands.UninstallADDSDomainCommand

dcpromoui.log 

cpromoui C80.F5C 086A 20:23:15.039         Enter RegistryKey::GetValue-DWORD GCByDefault
dcpromoui C80.F5C 086B 20:23:15.039         HRESULT = 0x80070002
dcpromoui C80.F5C 086C 20:23:15.039         result = true
dcpromoui C80.F5C 086D 20:23:15.039       result = true
dcpromoui C80.F5C 086E 20:23:15.039     Enter ReadAllowIscsiFlag
dcpromoui C80.F5C 086F 20:23:15.039       Enter GetConfigFlag AllowIscsi
dcpromoui C80.F5C 0870 20:23:15.039         Enter RegistryKey::Open Software\Microsoft\Windows\CurrentVersion\AdminDebug\dcpromoui
dcpromoui C80.F5C 0871 20:23:15.039         Enter RegistryKey::GetValue-DWORD AllowIscsi
dcpromoui C80.F5C 0872 20:23:15.039         HRESULT = 0x80070002
dcpromoui C80.F5C 0873 20:23:15.039         result = true
dcpromoui C80.F5C 0874 20:23:15.039       result = false
dcpromoui C80.F5C 0875 20:23:15.039     Enter SetEncryptedAnswerFileOption AdministratorPassword
dcpromoui C80.F5C 0876 20:23:15.039       Enter AnswerFile::SetEncryptedOption AdministratorPassword
dcpromoui C80.F5C 0877 20:23:15.039     Enter ValidateAnswerFile
dcpromoui C80.F5C 0878 20:23:15.039       Enter AnswerFile::Validate
dcpromoui C80.F5C 0879 20:23:15.039     Enter State::GetUnclearedAnswerFilePasswords
dcpromoui C80.F5C 087A 20:23:15.039     Enter State::GetUnclearedAnswerFilePasswordReaons
dcpromoui C80.F5C 087B 20:23:15.039     Enter State::GetValidationWarnings
dcpromoui C80.F5C 087C 20:23:15.039     Info: Active Directory Domain Services Setup

dcpromoui C80.F5C 087D 20:23:15.039     Enter Start
dcpromoui C80.F5C 087E 20:23:15.039       Info: Validating environment and parameters...
dcpromoui C80.F5C 087F 20:23:15.039       Enter InitFunct
dcpromoui C80.F5C 0880 20:23:15.039         Enter State::GetMode NORMAL
dcpromoui C80.F5C 0881 20:23:15.039         Enter CbsGetUpdateInstallState
dcpromoui C80.F5C 0882 20:23:15.039           The category is 0
dcpromoui C80.F5C 0883 20:23:15.039           Enter FindRoleInfo
dcpromoui C80.F5C 0884 20:23:15.039             Enter CheckIsServerCore
dcpromoui C80.F5C 0885 20:23:15.039               It is not on server foundation
dcpromoui C80.F5C 0886 20:23:15.039               HRESULT = 0x00000000
dcpromoui C80.F5C 0887 20:23:15.039           Enter GetUpdateName
dcpromoui C80.F5C 0888 20:23:15.039           Enter GetPackageName
dcpromoui C80.F5C 0889 20:23:15.054             Unable to find identity string for package name Microsoft-Windows-ServerCore-Package
dcpromoui C80.F5C 088A 20:23:15.054           Failed to retrieve the parent package name
dcpromoui C80.F5C 088B 20:23:15.054           HRESULT = 0x80070002
dcpromoui C80.F5C 088C 20:23:15.054           HRESULT = 0x80070002
dcpromoui C80.F5C 088D 20:23:15.054       performed state 1, next state 37
dcpromoui C80.F5C 088E 20:23:15.054       Error: Failed to detect component binaries.
dcpromoui C80.F5C 088F 20:23:15.054       Enter State::GetHadNonCriticalFailures
dcpromoui C80.F5C 0890 20:23:15.054         bHadNonCriticalFailures = false
dcpromoui C80.F5C 0891 20:23:15.054     Enter State::UnbindFromReplicationPartnetDC
dcpromoui C80.F5C 0892 20:23:15.054     Exit code is 64
dcpromoui C80.F5C 0893 20:23:15.054   Exit code is 64
dcpromoui 974.13C 044E 20:46:25.201 closing log

64=install ad services????

I tried via the gui... 

I cannot get past the server selection window as I cannot select the server (that I am logged into)

Error message.......

The request to list features available on the specified server failed.
Unable to obtain the feature list.
The specified package is not valid Windows package. Error: 0x800f0805

Welcome to my world!!!!!!!!!!!!

darren hitchen

Hi Support team,

I have installed a new domain controller in my domain. Installed Windows 2012 R2, install AD DS role. And promote to domain controller.

After finishing the promotion, the server had worked fine but after some time approx 2 month late its give warning message,i  have to configure it but errors remaining same. the warning Post-Deployment configuration is still there, 

How can I avoid that warning and reconfigure it.



hello All,

if we move to domain controller win2019 and due to this SMBv1 will be completely blocked.

So my question is will we able to login to server 2003 and WIN XP , as the netlogon share cannot be utilised as SMBv1 protocol is blcoked now.

or we can login and just now access the file share in that server.

regards

Aamir

NA

Hi Everyone,

We have an ADLDS Instance running on windows server 2008 R2  and forest functional level of instance is windows server 2003 R2. We have an application which is relying on this instance and it already extended the schema with the application attributes. Initially ADsync was running which is now stopped and accounts are created manually.Now we are planning to include the recycle bin feature on this instance , my query is can we promote the forest functional level without upgrading schema? since i have read the article regarding enabling recycle bin needs to import the below .ldf files which i suspect it may conflict with application attributes.

MS-ADAM-Upgrade-1 and MS-ADAM-Upgrade-2 

Thanks in advance

I have two domain controllers both running Windows Server 2019 and within AD I have built two Granular password settings one for End Users and one for Admins. Within these settings I have set the password expiration time to 90 days however whilst the rest of the settings are applying (confimed with adjusting password length settings) the password expiration setting is not applying and defaults to 42 days.

I've gone over all group policy objects and ensured there are no password expiration settings enabled in all of them.

Can anyone assist or point me in the right direction of what I am missing please

Thanks 

Rob

Hi. I had a question about changing the grouptype attribute via ldif commands/ldifde. I get this error:

Add error on entry starting on line 1: Unwilling To Perform
The server side error is: 0x32 The request is not supported.
The extended server error is:
00000032: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0

when I have this as my file data:

dn:CN=Marketingtest1,OU=Marketing,DC=wallracs,DC=com
changeType:modify
replace:groupType
groupType:-2147483646
-

Is one not able to change the grouptype via ldif commands? Please help. Thank you.

I have one user account which keeps having its security inheritance disabled. If I enable it again it gets disabled again. It looks to get disabled again every hour at about 17 minutes to the hour after testing. I can see that the below is logged within the security event log that corresponds to the users username. Something must be running on the hour and resetting this.

Are there any further logs that will display more information about this change, as the below log is giving me nothing really to go on?

Event ID 4738 

A user account was changed.

Subject:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain:NT AUTHORITY
Logon ID: 0x3E6

Target Account:
Security ID: DOMAIN\USERNAME
Account Name: USERNAME
Account Domain:DOMAIN

Changed Attributes:
SAM Account Name:-
Display Name: -
User Principal Name:-
Home Directory:-
Home Drive: -
Script Path: -
Profile Path: -
User Workstations:-
Password Last Set:-
Account Expires:-
Primary Group ID:-
AllowedToDelegateTo:-
Old UAC Value:-
New UAC Value:-
User Account Control:-
User Parameters:-
SID History: -
Logon Hours: -

Additional Information:
Privileges: -

Hi all...! Ihave a pc with windows 7 and a domain with windows server 2003 sp2.

when i attempting to join in domain this pc with w7 show this error:

the following error occurred attempting to join the domain "name":

An attempt to resolve the dnd name of a domain controller in the domain being joined has failed. Pleasy verify this client is configured to reach a dns server that can resole dns names in the target domain. Please help me :(  (skipi2005@hotmail.com).  Thank You

Hi,

I want to add an custom attribute to the ad schema. The attribute is an outside of AD generated GUID (not related to any internal ad attribute like objectGUID). I want to add it to user objects using a dynamically linked auxiliary class.

I tried to use the same definitions for my attribute like the ones objectGUID is defined by in the schema: syntax octet-string with upperRange and lowerRange 16 Bytes. Here is my ldf file I import with ldifde:

# My GUID attribute
# =================

dn: CN=LabA-Guid,CN=Schema,CN=Configuration,DC=X
changetype: ntdsschemaadd
objectClass: top
objectClass: attributeSchema
cn: LabA-Guid
lDAPDisplayName: labAGUID
adminDisplayName: LabA-Guid
adminDescription: LabA-Guid
attributeID: 1.3.6.1.4.1.18228.9999.111
# String(Octet):
attributeSyntax: 2.5.5.10
oMSyntax: 4
rangeLower: 16
rangeUpper: 16
isSingleValued: TRUE
searchFlags: 1
isMemberOfPartialAttributeSet: TRUE
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

# Object class
# ============

dn: CN=LabA-Person,CN=Schema,CN=Configuration,DC=X
changetype: ntdsschemaadd
objectClass: classSchema
cn: LabAPerson
lDAPDisplayName: labAPerson
adminDisplayName: LabA-Person
adminDescription: LabA-Person
governsID: 1.3.6.1.4.1.18228.9999.1
objectClassCategory: 3
subclassOf: top
rDNAttID: cn
# mayContain: labAGUID
mayContain: 1.3.6.1.4.1.18228.9999.111
defaultObjectCategory: CN=LabAPerson,cn=Schema,cn=Configuration,dc=X
systemOnly: FALSE

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

This works without errors and I can link the class to a user object and then insert a guid value to "labAGUID" in ADUC. But when I look at the value in ADUC I get a not the usual textual representation for GUIDs like objectGUID is getting (hexadecimal digits with hyphens, like xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) but instead a byte array (\xx\xx\xx\xx\xx\xx\xx\xx\xx\xx\xx\xx\xx\xx\xx\xx).

When I query the attribute in Powershell I also get a byte array. While objectGUID is returned as Guid:

PS C:\Users\Administrator> $user = Get-ADUser tstUser1 -Properties '*'
PS C:\Users\Administrator> $user.ObjectGUID

Guid
----
cb1d10cf-ee28-435f-a6ae-63af3e1dbbdd

PS C:\Users\Administrator> $user.ObjectGUID.GetType()

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     Guid                                     System.ValueType


PS C:\Users\Administrator> $user.labAGUID
207
16
29
203
40
238
95
67
166
174
99
175
62
29
187
221

PS C:\Users\Administrator> $user.labAGUID.GetType()

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     Byte[]                                   System.Array

So it is returned as a byte array. Now I understand that I added a 16 byte octet string attribute to the schema and I should expect a byte array. But objectGUID looks to me the same in the schema. But somehow AD treats it differently. Also there are other predefined attributes which behave like GUIDs.

It seems I'm missing something?

What do I have to change in my attribute definition so that it is treated as a GUID value and not a plain octet string?

Thanks!

hey guys,

I have an webpage application that allows users to update their contact details and the result is updated in Outlooks Address book.

The code does the following:

Display a web app

Get the computer's current user name, and display the current users name on the webpage

User updates data on the webpage

Use Active Directory to update the LDAP fields

The results:

The app works on Windows 7 and an early build of Windows 10 laptop.

On a later build version of the Windows 10 laptop, the app displays errors ‘User details for <UserID> not found, which is from the applications sub  PublicSub UpdateData()

The application is no longer able to Read/Write to AD/ LDAP.

I’m wondering if on the new Windows 10 build, a policy is ‘blocking/ or locking’ the application from reading and writing to AD/ LDAP. and what that maybe?

Any ideas as I need to provide the Win10 build guys information.

Ive attached the C# code, however I feel its image build related and not code related.

TIA

        Public Shared Function FindUserID() As String
            Return SecurityHelper.GetCurrentUserName().ToUpper()
        End Function


        Public Function GetData() As SearchResultCollection
            Dim lDAPMgr As LdapManager = New LdapManager()
            m_UserID = FindUserID()
            m_LdapUserFilter = String.Format("(&(objectclass=user)(" & LdapUserNameKey & "={0}))", m_UserID)
            Dim searchResultCollection As SearchResultCollection = Nothing

            Try
                searchResultCollection = lDAPMgr.DoSearch(New String() {}, m_LdapUserFilter)
            Catch e As Exception

                If searchResultCollection IsNot Nothing AndAlso searchResultCollection.Count = 0 Then
                    Throw New Exception(m_UserID.ToUpper() & " not found.", e)
                Else
                    LogExceptionDetails(e)
                End If
            End Try

            Return searchResultCollection
        End Function




        Public Sub UpdateData(ByVal bus As String, ByVal bus2 As String, ByVal fax As String, ByVal home As String, ByVal home2 As String, ByVal mob As String, ByVal pager As String, ByVal notes As String)
            Dim ds As DirectorySearcher = New DirectorySearcher()
            Dim de As DirectoryEntry = New DirectoryEntry()

            Try
                ds.Filter = m_LdapUserFilter
                de.Path = ds.FindOne().Path
                AssignPropertyValue(bus, ADProperties.Business, de)
                AssignPropertyValue(bus2, ADProperties.Business2, de)
                AssignPropertyValue(fax, ADProperties.Fax, de)
                AssignPropertyValue(home, ADProperties.Home, de)
                AssignPropertyValue(home2, ADProperties.Home2, de)
                AssignPropertyValue(mob, ADProperties.Mobile, de)
                AssignPropertyValue(pager, ADProperties.Pager, de)
                AssignPropertyValue(notes, ADProperties.Notes, de)
                de.CommitChanges()
            Catch __unusedUnauthorizedAccessException1__ As UnauthorizedAccessException
                Throw New Exception("Access denied.")
            Catch e As Exception
                LogExceptionDetails(e)
            End Try
        End Sub


    Module ADProperties
        Public Const Name As String = "name"
        Public Const Desc As String = "description"
        Public Const Title As String = "title"
        Public Const Dept As String = "department"
        Public Const Comp As String = "company"
        Public Const Business As String = "telephonenumber"
        Public Const Business2 As String = "othertelephone"
        Public Const Fax As String = "facsimiletelephonenumber"
        Public Const Home As String = "homephone"
        Public Const Home2 As String = "otherhomephone"
        Public Const Mobile As String = "mobile"
        Public Const Pager As String = "pager"
        Public Const Notes As String = "info"
    End Module