Hello Team,

I have around 45 AD server 2 server is located on local site and  1 is located on DR site rest of all located on 45 location. Currently my 2 local server is replicated with all the remote server's.

Now I have created one more ad server on local site and run the replication, but I am suspect problem as newly created server is not get replicated with other location ad server's.

Need your suggestion / experties  for this issue. 

My setup is one single domain forest i.e amd.com and all other is DC.

System - Yo

Hi everyone,

How to add a property of the "last logon user" with the computer which queried through ADUC? (e.g. image).

Sorry that my DC with Chinese language.

Best regards,

Yuxiang

Hi!

We have a customer that has 3 DCs running W2008 R2.

In the FSMO master server (the one that has all the roles enabled) is reporting the error 13568 of NTFRS, saying that to recover normal situation is necessary to edit the registry and add the "Enable Journal Wrap Automatic Restore" Dword value in 1.

Is there any implication or something to take in count? Is what the event suggests the right way to proceed?

Cristian L Ruiz

First of all, I apologize if this has been answered before. I have seen similar questions, but not quite the same as this, so I am posting it here.

Layout of the domain is like this:

• two domain controllers named DC1 and DC2, both running Windows Server 2012 R2
• DC1 holds all FSMO roles and both domain controllers are global catalog servers
• domain and forest functional levels are 2012R2
• more than 300 client computers in domain and about the same number of users
• FRS replication for SYSVOL

Some time ago, due to several successive power failures, DC1 started logging eventID 13568 (JRNL_WRAP_ERROR) on every reboot, DC2 was logging 13508 and SYSVOL replication stopped. Both DCs had their copy of SYSVOL shared, but those copies were not in sync. A nonauthoritative restore using D2 burflag was attempted on DC2 and the result was that it stopped sharing SYSVOL and NETLOGON and once a day logs eventID 13508. Domain works fine in a sense that clients authenticate and don’t see any problem since they can access SYSVOL on DC1. AD is replicating between DC1 and DC2, “repadmin /showrepl” passes all tests on both DCs and there are no DNS problems. DCDIAG on DC1 passes all tests and fails advertising test on DC2, which is expected in this situation. Also, chkdsk on DC1 reports no errors on disk.

So, in a nutshell, current situation looks like this:

• DC1 has good copy of SYSVOL, shared SYSVOL and NETLOGON and a journal wrap error 13568
• DC2 has no copy of SYSVOL folder and is not able to pull that information from DC1 after nonauthoritative D2 restore

From everything I read on this subject, I conclude that the next step should be authoritative (D4) restore on DC1, but I am somewhat confused because that is the DC with 13568 error. Every article I read says that I should find “good” DC and restore from there, but I don’t have any DC without errors in event viewer. My main concern is that DC1 would also stop sharing SYSVOL and NETLOGON, which would be a huge problem considering number of users and computers. I know that authoritative restore does not erase contents of sysvol folder like nonauthoritative does, but I am not a fan of “let’s see what this does” solutions and I can’t replicate this situation in my test environment. In my test lab, every DC is healthy and both types of restore work like a charm.

Hello,

I have a group which contains users for ex: user1. Now that group is a member of another group named 'group2' and this group2 having Reset Password permission on user2. 

Now I tried to change the password of user2 from user1 it says access is denied?

What am I missing? 

Thanks and regards

We have a 7 site active directory environment with 1 DC at each site. All servers are running Windows Server 2012 R2 and are current on Windows updates. Our domain and forest functional levels are 2012 R2. 

I noticed last week that some group policy objects were not replicating to all our DCs.  On 2 of the DCs, I noted recent JRNL_WRAP_ERROR entries on the File Replication Service log. On 1 of these DC's, I attempted a nonauthoritative restore of FRS using the BurrFlags registry key as instructed in the following documentation: https://support.microsoft.com/en-us/help/290762/using-the-burflags-registry-key-to-reinitialize-file-replication-servi

This process appears to have failed due to Event ID 13508 in the FRS log. I have confirmed the first 2 reasons it lists are not the case. I am not sure how to confirm the 3rd reason.  
[1] FRS can not correctly resolve the DNS name server.domain.com from this computer. 
 [2] FRS is not running on server.domain.com. 
 [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers. 

Now the SYSVOL and NETLOGON shares are not shared on that server. I ran the Active Directory Replication Status Tool and it reports no errors.

I have not attempted an authoritative restore because I am concerned due to the fact that all the automatic connections in active directory sites and services point to the other DC that JRNL_WRAP_ERROR entries. I have not attempted a nonauthoritative restore FRS on this server. Please note that neither of the DCs hold the FSMO role.

How can I safely fix this issue? If I have to perform the authoritative restore of FRS, where do I run it from? The server that holds all the FSMO roles? 

Thanks in advance.

Thanks, David

Hello Folks,

Need your help for AD replication. I have total 45 domain controller 2 is local office 1 is DR site rest of all deployed on remote location. Now I have added one dc in local site and one in DR site. 

Noe my new dc is getting replicated on their site only i.e new dc is replicated with local dc and dr is replicated with dr site server.

But my earlier local dc is replicating with other all location dc. 

Please suggest to replicate my all dc with each other. i.e my all location dc get replicated with my new created DC server.

Thanks 

Hello - I am beginning to research what it will take to implement Windows Hello for Business, given our existing Hybrid Azure/O365 implementation (with ADFS on Server 2012R2 & most recent AADConnect).  I have a few questions that don't seem to be addressed very clearly in the documentation online:

• Is ADFS required?  I would like to transition us to pass-through authentication if possible.  It looks like Hybrid Azure AD Join supports this, but it is not clear to me if WHfB requires ADFS for hybrid for other reasons.  If it is required, it looks like we'll need to upgrade to 2016.
• What are the pros & cons of Key Trust vs Certificate Trust?  I'm leaning towards Certificate Trust simply because of the RDP support, but other than this, I'm not sure why I would pick one over the other.  We have 2016 DCs & Enterprise PKI.  I've read the writeup in the WHfB-FAQ, but I'm still not sure which one would be better (if RDP wasn't an issue, and we don't care about the extra effort of deploying certs to everyone).
• What are the implications of a "destructive" PIN reset?  Is it something we should try to avoid if possible?
• Federated vs Managed domain - Is this the one decision that dictates whether or not we will require ADFS?  I would lean towards Managed if Azure AD SSPR on the lockscreen is supposed to be coming soon.  Are there any other things to consider that aren't mentioned in the planning guide?
• Do we need to use Intune?  We have an on-prem MDM solution, and SCCM for desktops/laptops, so we've avoided Intune thus far
• If a Win10 device does not have TPM 2.0, is the TPM not used at all (ie, if it has TPM 1.2)?  If so, how are the keys secured?
• Should I be asking our Desktop Team to begin converting all TPM 1.2's to 2.0 where possible?  I understand they will also need to covert the partition table to GPT, make sure we have EUFI boot mode enabled, and decrypt Bitlocker drives first, so I want to make sure this is definitely recommended before I ask.
• Do Key Trust & Certificate Trust make your on-prem authentications more secure?  It would seem "yes" due to the length/complexity of keys/certs vs usernames/passwords, but I am curious if there are any write-ups about this.
• I read that FIDO2 security key support is supposed to be coming in early 2020.  Are there any other cool things coming up soon, or particular websites to keep an eye on?

Thanks!

    I have some questions about how the Domain Controller validate the credentials for theDomain Member. I consider that the credential entered into login UI in theDomain Member by user will be sent to Domain Controller and validated. If the credential is valid, the user will be allowed to login theDomain Member and the credential will be cached in the Domain Member. If theDomain Member can not connect to the Domain Controller. The user can enter the latest valid password, which the user use to successfully login in theDomain Member at the last time.

    The first question: If Domain Member can connect toDomain Controller,  Domain Member sent the credential enters by user toDomain Controller. Domain Controller will validate whether the credential is valid andDomain Member will not compare the entered credential with the cached credential in the local. Is that right?

    The second question: Because of some situation, Domain Member will compare the entered credential with the cached credential in the local. The first one is thatDomain Member can not connect to Domain Controller because of network question. Are there other situations that can be listed in the forum?

hi

i have a domain with same policy.but some users when login admin user can install program or change in software with admin account.but i  have some users when login admin account cant change or install software  and error access denied.what is problem?

I am running DCPROMO to add 3rd server as an additional DC and now stuck at the attached screen. The Next button is grayed out. What is the resolution? 

The Servers are 2016 STD.

Hello.

I have installed a new domain controller in my domain. Installed Windows 2016 standard , install AD DS role. And promote to domain controller. After wizard end ,system on new domain controller was rebooted. In Server manager i have a warning with  Post deployment Configuration. When i open it and expand description "Error determining whether the target server is already a domain controller: The domain controller promotion completed, but the server is not advertising as a domain controller."

The old domain (main) controller based on windows server 2012.

How can I fixt it ?

1)dcdiag
2) repadmin /replsum
3) dsquery server

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = SRV16
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SRV16
      Starting test: Connectivity
         ......................... SRV16 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SRV16
      Starting test: Advertising
         Warning: DsGetDcName returned information for \\SRV.domena.local, when we were trying to reach SRV16.
         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
         ......................... SRV16 failed test Advertising
      Starting test: FrsEvent
         ......................... SRV16 passed test FrsEvent
      Starting test: DFSREvent
         ......................... SRV16 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... SRV16 passed test SysVolCheck
      Starting test: KccEvent
         ......................... SRV16 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... SRV16 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... SRV16 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... SRV16 passed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\SRV16\netlogon)
         [SRV16] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
         ......................... SRV16 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... SRV16 passed test ObjectsReplicated
      Starting test: Replications
         ......................... SRV16 passed test Replications
      Starting test: RidManager
         ......................... SRV16 passed test RidManager
      Starting test: Services
         ......................... SRV16 passed test Services
      Starting test: SystemLog
         ......................... SRV16 passed test SystemLog
      Starting test: VerifyReferences
         ......................... SRV16 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : domena
      Starting test: CheckSDRefDom
         ......................... domena passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... domena passed test CrossRefValidation

   Running enterprise tests on : domena.local
      Starting test: LocatorCheck
         ......................... domena.local passed test LocatorCheck
      Starting test: Intersite
         ......................... domena.local passed test Intersite
        
        
        

C:\Windows\system32>repadmin /replsum
Replication Summary Start Time: 2019-12-18 13:54:58

Beginning data collection for replication summary, this may take awhile:
  .....


Source DSA          largest delta    fails/total %%   error
 SRV                       08m:08s    0 /   5    0
 SRV16                     55m:02s    0 /   5    0


Destination DSA     largest delta    fails/total %%   error
 SRV                       55m:02s    0 /   5    0
 SRV16                     08m:08s    0 /   5    0



C:\Windows\system32>dsquery server
"CN=SRV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domena,DC=local"
"CN=SRV16,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domena,DC=local"Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

Hi Team,

Please help, how to fix this message on the domain controller.

The remote server which is the owner of a FSMO role is not responding.  This server has not replicated with the FSMO role owner recently. 

Operations which require contacting a FSMO operation master will fail until this condition is corrected. 

Thank you.

Hi All

i have a monitoring solution which threw an alert that LDAP query has failed on the my DC02. There is no much information in the alert. i am not sure what needs to be checked. experts guide me on this.

Hi

We frequently getting "Reference account is locked out and may not loged on too " error in windows 10

Account is domain account standard user 

Server : 2016

We unlock the account next few min account is locked!!!

We check the below things 

Run the antivirus scanner no virus found (Kaspersky end point)

We deleted credential manager password 

UnMap and map the share drive and deleted cache 

We see the following log in event viewer, on server 2016

The SAM database was unable to lockout the account of  due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

Thanks and regards 

Karthick

When I have enabled my proxy (for work environment), since a couple of weeks it disables the proxy at random intervals. This happens quite a lot during the day.

I have looking at the Event log and found Application Services and logs > Microsoft > Windows > WinHttp > ProxyConfigChanged logs these changes. However, there is not enough information for me to determine what is causing this.

Al the logging statement in the Event log are saying

The description for Event ID 5600 from source Microsoft-Windows-WinINet-Config cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

Hi,
Sorry for the double posting, the original thread had a kind of different question to start with. So, I'm trying to deploy Windows Hello for Business Certificate Trust on-premises in my work place. I've followed the guide for deploying the Key trust authentication, but later changed it to Certificate trust (I'm not sure I've cleaned all of the Key trust settings, since most of them are the same for both Key and Certificate. However, it seems I have a problem with the AD FS device registration. I seems the devices don't get registered, and I can't think of what I've done wrong for this to happen. I've managed to get to the point where I get "This sign-in option is only available when connected to your organization's network". And here's what "dsregcmd /status" and "dsregcmd /debug"gives me as results:

+----------------------------------------------------------------------+
| Device State                                                         |+----------------------------------------------------------------------+

             AzureAdJoined : NO
          EnterpriseJoined : YES
              DomainJoined : YES
                DomainName : <domain name>+----------------------------------------------------------------------+
| Device Details                                                       |+----------------------------------------------------------------------+

                  DeviceId : f7c113b3-18d2-4da8-baa7-45fd45431096
                Thumbprint : 756CDDBC67B7FA994A05F766F81E3A5429DACDC7
 DeviceCertificateValidity : [ 2019-12-17 10:50:34.000 UTC -- 2029-12-14 11:00:34.000 UTC ]
            KeyContainerId : 5303e1fb-1d9b-4993-a58e-b15720fdc4be
               KeyProvider : Microsoft Platform Crypto Provider
              TpmProtected : YES

+----------------------------------------------------------------------+
| Tenant Details                                                       |+----------------------------------------------------------------------+

                TenantName : 
                  TenantId : 383a3889-5bc9-47a3-846c-2b70f0b7fe0e
                       Idp : login.windows.net
               AuthCodeUrl : https://fs.<domain name>.org/adfs/oauth2/authorize
            AccessTokenUrl : https://fs.<domain name>.org/adfs/oauth2/token
                    MdmUrl : 
                 MdmTouUrl : 
          MdmComplianceUrl : 
               SettingsUrl : 
            JoinSrvVersion : 1.0
                JoinSrvUrl : https://fs.<domain name>.org/EnrollmentServer/device/
                 JoinSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A
             KeySrvVersion : 1.0
                 KeySrvUrl : https://fs.<domain name>.org/EnrollmentServer/key/
                  KeySrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A
        WebAuthNSrvVersion : 1.0
            WebAuthNSrvUrl : https://fs.<domain name>.org/webauthn/383a3889-5bc9-47a3-846c-2b70f0b7fe0e/
             WebAuthNSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A
    DeviceManagementSrvVer : 1.0
    DeviceManagementSrvUrl : https://fs.<domain name>.org/manage/383a3889-5bc9-47a3-846c-2b70f0b7fe0e/
     DeviceManagementSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A+----------------------------------------------------------------------+
| User State                                                           |+----------------------------------------------------------------------+

                    NgcSet : NO
           WorkplaceJoined : NO
             WamDefaultSet : NO

+----------------------------------------------------------------------+
| SSO State                                                            |+----------------------------------------------------------------------+

                AzureAdPrt : NO
       AzureAdPrtAuthority : 
             EnterprisePrt : NO
    EnterprisePrtAuthority : 

+----------------------------------------------------------------------+
| Diagnostic Data                                                      |+----------------------------------------------------------------------+

        AadRecoveryEnabled : NO
               KeySignTest : PASSED

+----------------------------------------------------------------------+
| Ngc Prerequisite Check                                               |+----------------------------------------------------------------------+

            IsDeviceJoined : YES
             IsUserAzureAD : NO
             PolicyEnabled : YES
          PostLogonEnabled : YES
            DeviceEligible : YES
        SessionIsNotRemote : YES
            CertEnrollment : enrollment authority
          AdfsRefreshToken : NO
             AdfsRaIsReady : NO
    LogonCertTemplateReady : UNKNOWN
              PreReqResult : WillNotProvision

 
dsregcmd::wmain logging initialized.
DsrCmdJoinHelper::Join: ClientRequestId: f3eb70f9-aed9-441e-8607-eb22a2dae9f8PreJoinChecks Complete.

preCheckResult: DoNotJoin

deviceKeysHealthy: undefined

isJoined: undefined

isDcAvailable: undefined

isSystem: NO

keyProvider: undefined

keyContainer: undefined

dsrInstance: undefined

elapsedSeconds: 0

resultCode: 0x1

The device can NOT be joined. The process MUST run as NT AUTHORITY\SYSTEM.

If you have any suggestions, what should I do, cause the Docs are good, but at certain point get a bit "for more information, check ******" again and again, and suddenly I'm with 20 tabs, can't follow where I was, and where's I'm going.

Thanks in advance.

//Edit

When I restart the device, supposed to be registered, I get the following Error log on the AD FS server "AD FS -> Admin" Event logs:

Encountered error during OAuth token request. 

Additional Data 

Exception details: 
Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthUnauthorizedClientException: MSIS9368: Received invalid OAuth request. The client '38aa3b87-a06d-4817-b275-7a316988d93b' is forbidden to access the resource 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' with scope 'ugs'.
   at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthProtocolContext.ValidateScopes(String scopeParameter, String clientId, String relyingPartyId)
   at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthJWTBearerRequestContext.ValidateCore()

At the machine "Aplication and services logs -> Microsoft -> Windows -> AAD -> Operational" 4 logs appear after rebooting the PC:

Http request status: 400. Method: POST Endpoint Uri: https://fs.<domain name>.org/adfs/oauth2/token Correlation ID: 7A2A19EB-8888-4DC8-9957-408092271DC2

OAuth response error: unauthorized_client
Error description: MSIS9605: The client is not allowed to access the requested resource.
CorrelationID: 

Enterprise STS Logon failure. Status: 0xC000006D Correlation ID: 7A2A19EB-8888-4DC8-9957-408092271DC2

Logon failure. Status: 0xC000006D Correlation ID: 7A2A19EB-8888-4DC8-9957-408092271DC2

I'm trying to set up a disaster recovery backup and I'm testing a recovery scenario in isolation. Here's what I did thus far:

- I've made a bare-metal and system-state backups with Windows Server Backup of one of our DC VMs
- I've placed the backup onto a VHDX drive
- I've created a new HyperV VM; it's connected to a private network (isolated) and attached the VHDX with the backups. Using a Windows Server 2016 ISO I restored the bare-metal backup
- I've reconfigured the network adapter to have the same IP as the original DC VM
- I've entered DC recovery mode and restored the system-state backup as AUTHORITATIVE
- I've seized all domain and forest roles

Now, post boot the server has no SYSVOL and NETLOGON shares. The network is not identified as a domain, but is "unidentified public". DNS is working fine and NSLOOKUP calls seem to be correct. I cannot access the AD Users and Computers MMC because I get a "Naming information cannot be located because the specified domain either does not exist or could not be contacted" error.

Here are the DCDIAG results: https://pastebin.com/dRqZPrGU (it's too long to paste here as there's an error related to Azure AD sync that's spammed all over the log, unfortunately).

Any idea what's going on here? Am I doing something wrong or is there something wrong with the backup? Or is there something wrong with the original DC VM server and it's not a viable source for a DC backup?

I have the following question.

I have a windows server 2012R2 with active directory installed, DNS, DHCP etc...

Connect with this server there are 2 windows 10 pc's with latest updates. Both PC's are member of the active directory.

When I go to controlpanel Windows Defender Firewall boht machines are connecte as Private Network connection. When I disconnect a PC from the directory and re-joyn this PC is shows Domain Network Connection active. After a reboot of the system it switches back to private network connection. Is ther any way to keep them at domain netword instead of private network?

Reason for this is, sometimes one of my pc's can't get network connectivity with the server.

The server is also connecte as private network connection.

Any help will be greatly apreciated.