Hello. Have an issue where our primary domain owner server starting booting to a blue screen. Code is 0xc00002e2.

If we select DSR mode, it will boot to safe mode but dcdiag shows all kinds of problems. Not exactly sure the next best steps. Do I try and fix the problem which I am having trouble figuring out exactly what that is? Should we do a "role" seizure? ... Which I have never done and a little nervous what might happen. Is there a rebuild routing that might find/fix issues with AD?

Any assistance would be greatly appreciated...

thx !

Hi,

I've installed a local (Windows Server) certification autority (CA), in my active directory. I've used the CA to grant a personnal certificate to my users to encrypt and sign mail within my organisation. A certificate request is issued by the user and the CA accepts and delivers a personnal certificate to the user. Then the user can configure Outlook to use the certificate.

It usually works but the problem i got is, when the pc of the user dies and is replaced, i can't export the already issued certificate to the user. The user is forced to request a new certificate, which works with new emails but older ones cannot be read, because they are encrypted with the old one.

Is there a way to recuperate the old certificate from the CA and to reinstall it on the client PC?

Thanks

Luc

Hi,

I am having two different forest running in our infra. Forest A and Forest B. One of the application is part of Forest A. The users available under forest B wants to access the application with their domain credentials. We do not want to create any trust between them because the requirement is to access LDAP only.

How do i create a LDAP referrals between those forest to access LDAP?

Any help is highly appreciate.

Hello Microsoft TechNet,

Please can you help with the query below.

We have introduced two new Windows 2016 Domain Controllers to a Windows 2008 R2 Active Directory.

We are seeing the error below in Event Viewer

Error ID 4015

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly.

The Forest and Domain functional levels have been left at 2008 R2 as there are still other Windows 2008 R2 Domain Controllers in existence in the Active Directory.

Please can you help troubleshoot this error.

Many Thanks in Advance.

Dan,

Dear guys and girls,

With ransomware attacks and security guidelines what do you do, to encapsulate the thread?

Let's say we create different accounts for users with extensive permissions.

You would have:

- User account

- File server manager 

- Sever manager

- Domain Admin

For Functional administrators:

- User account

- Server account

- Test account

Well you see the problem here. People are getting nervous by that many accounts and passwords. There are solutions for temporary delegation. But i wonder if there are more security solutions so that you don't have to make 5 accounts for 1 administrator.

We are having accounts get locked out, from the logs on the DC in the security log we see event ID 4776 for these users but the source workstation is blank. on the DC we have the netlogon log and I can see an entry saying its coming from our Wifi radius server, on the radius server there is an entry in its netlogon log however it doesn't tell me where the attempt is coming from and the radius logs themselves don't have any entries related to the users getting locked out. Is there any way I can tell whats causing this?

DC

02/05 07:54:41 [LOGON] [2452] XXXXX: SamLogon: Transitive Network logon of XXXXX\USER from  (via RADIUSSVR) Entered

02/05 07:54:41 [LOGON] [2452] XXXXX: SamLogon: Transitive Network logon of XXXXX\USER from  (via RADIUSSVR) Returns 0xC000006A

Radius server

02/05 07:54:41 [LOGON] [2044] SamLogon: Network logon of XXXXX\USER from  Entered

02/05 07:54:41 [LOGON] [2044] SamLogon: Network logon of XXXXX\USER from  Returns 0xC000006A

Jason

hello all,

have an issue and i would like some assistance.

i Have 3 domain controllers and i successfully migrated the SYSVOL replication from File Replication Service (FRS) to Distributed File System (DFS Replication) one week ago. 

then when i was trying something else my DHCP broke at the PDC so i had to restore to a backup and the latest backup which i had was prior the nigratoin of SYSVOL. so now i get error messages.

PDC: when i run the command: dfsrmig /getmigrationstate i get the the PDC is in (eliminating) state

when i run the same command from the other two domain controllers i get: "Unable to connect to the PDC emulator. Make sure that the PDC is reachable and retry the command later."

any help would be appreciated.

A few days ago I started a FRS to DFSR migration.
My migration is now stuck in a state of Eliminating on several of my 2008 R2 domain controllers.  I have other 2012 domain controllers that completed successfully.
The domain functional level is 2008 R2.

The FSMO roles are running on a 2012 domain controller.

Reviewing the DFS Replication log on the problem 2008 R2 domain controller I see the following 2 error level Event ID's:
8020 - 
DFSR Migration was unable to delete the NTFRS local settings on Domain Controller XXX. This could be because DFSR was unable to connect to the Domain Controller XXX. If the Domain Controller XXX is a Read-only Domain Controller, the NTFRS local settings will be deleted by the Primary Domain Controller the next time DFSR polls the Active Directory. To forcefully delete these settings, execute the command 'dfsrmig /DeleteRoNtfrsMember' on any writable Domain Controller. 
Additional Information: 
Local Domain Controller: XXX 
Connected Domain Controller: XXX 
Error: 5 (Access is denied.)

8029- 
DFSR Migration was unable to transition to the 'ELIMINATED' state for Domain Controller XXX. DFSR will retry the next time it polls the Active Directory. To force an immediate retry, execute the command 'dfsrdiag /pollad'. 
Additional Information:
Domain Controller: XXX
Error: 5 (Access is denied.)

The domain controllers stuck in an Eliminating state are Writable DC's. (Not Read-Only)

I have tried forcing replication, rebooting, restarting services, pollad, etc...
I reviewed the dfsr debug file (c:\windows\debug) and it appears there are insufficient rights to delete AD Objects.

How do I determine what access rights are needed and how to set them properly?

Any other suggestions to get out of the Eliminating state would be helpful.
Replication looks to be working otherwise.

Thank you,

Mike 

I am having issues with Macs connecting to the domain and I just want to understand what the error message means. 

The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection. 
Client IP address:
10.63.10.23:55885 
Identity the client attempted to authenticate as:
Domain\test-mac$ 
Binding Type:
0

Plus, I am seeing some services connect with Binding Type: 1

When I force the mac to use signing, it just doesn't connect. dsconfigad -packetencrypt ssl or dsconfigad -packetsign require

Is this an actual issue that I need to be worried about or what?

Thank you
Charles

Hi, 

I am facing issue while performing Directory Search with CROSS domains.  I have two different domains  DOMAIN100.LAB and  DOMAIN200.LAB . There is no TRUST relationship between these two domains. 

My app is running in DOMAIN100.LAB  and performing Directory search operation on   DOMAIN200.LAB .  The application able to bind with DC and able to access properties but Directory search failing with below exception. 

Note: It's working fine, if I set the TRUST relation between two domains DOMAIN100.LAB and DOMAIN200.LAB 

Exception msg: "The user name or password is incorrect.\r\n"

at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)

   at System.DirectoryServices.DirectoryEntry.Bind()

   at System.DirectoryServices.DirectoryEntry.get_AdsObject()

   at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)

   at System.DirectoryServices.DirectorySearcher.FindAll()

   at ConsoleApp1.Program.Main(String[] args) in C:\Users\administrator.DRDOM450\source\repos\MyApp1\ConsoleApp1\Program.cs:line 229

Code : C# code from My app as below: for listing all DCs from Domain DOMAIN200.LAB

           string userName = "DOMAIN100\\administrator";
            string password = "Control123";

          string strDCName = "MYDC201.DOMAIN200.LAB";

            try
            {
                SearchResultCollection results = null;              
                DirectoryEntry deRootDSE =  new DirectoryEntry($"LDAP://{strDCName}/rootDSE", userName, password, AuthenticationTypes.SecureSocketsLayer );
                if (null != deRootDSE)
                {
                    string strPath = @"LDAP://" + deRootDSE.Properties["configurationNamingContext"].Value.ToString();
                    DirectoryEntry de = new DirectoryEntry(strPath, userName, password, AuthenticationTypes.SecureSocketsLayer);
                    if (null != de)
                    {
                        string []strPropList = { "name" };
                        DirectorySearcher searcher = new DirectorySearcher(de, "(objectcategory=server)", strPropList);
                        if (null != searcher)
                        {
                            results = searcher.FindAll();
                        }
                    }
                }
            }
            catch (Exception exxx)
            {
                Console.WriteLine($"exception {exxx.Message}");
            }

Please help to fix the issue.

Thanks & Regards 

Prasad

We have a multi-tenant AD on Server 2016 and 2019.  Each tenant has a separate domain UPN they use to login with.  The tenants are in separated OUs and appropriate permissions so they are completely isolated from each other.  Is it possible to setup AD sync with Azure AD Connect of our multi-tenant AD so that we can setup a DC and resource servers for each tenant that is setup to be the domain for their UPN login?  For example: our multi-tenant has tenant1 with user1@abccorp.com and user2@abccorp.com, tenant2 has user1@123corp.com and user2@123corp.com.  We setup the network for tenant1 as domain abccorp.com and the servers for tenant2 as domain 123corp.com.  All groups (domains) of servers are in isolated networks.  So it would be multi-tenant AD sync to Azure and a DC for each tenant domain sync only to their OU in Azure.

Thanks so much for any input!!

Dear All

We have a newly promoted Domain Controller that’s our first 2019 box in the domain. Our other DC is a 2012R2 box (we’ve migrated to DFS-R already). After promoting it to a DC I ran DCDIAG and got the following error so I manually created the CNAME record under the _mcds forward lookup zone but the error persists.

I have both domain controllers pointing to each other as the primary DNS and I’m using the loopback for the secondary and they can ping to each other. Also, I can ping “89d723f5-4355-4bc2-9854-705d364a2abf._msdcs.NY.domain.com” successfully.

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = OSTDC

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\OSTDC

      Starting test: Connectivity

         ......................... OSTDC passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\OSTDC

      Starting test: Advertising

         ......................... OSTDC passed test Advertising

      Starting test: FrsEvent

         ......................... OSTDC passed test FrsEvent

      Starting test: DFSREvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems. 
         ......................... OSTDC passed test DFSREvent

      Starting test: SysVolCheck

         ......................... OSTDC passed test SysVolCheck

      Starting test: KccEvent

         ......................... OSTDC passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... OSTDC passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... OSTDC passed test MachineAccount

      Starting test: NCSecDesc

         ......................... OSTDC passed test NCSecDesc

      Starting test: NetLogons

         ......................... OSTDC passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... OSTDC passed test ObjectsReplicated

      Starting test: Replications

         ......................... OSTDC passed test Replications

      Starting test: RidManager

         ......................... OSTDC passed test RidManager

      Starting test: Services

         ......................... OSTDC passed test Services

      Starting test: SystemLog

         A warning event occurred.  EventID: 0x80040020

            Time Generated: 02/05/2020   15:19:59

            Event String:

            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.

         A warning event occurred.  EventID: 0x80040020

            Time Generated: 02/05/2020   15:19:59

            Event String:

            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.

         A warning event occurred.  EventID: 0x80040020

            Time Generated: 02/05/2020   15:19:59

            Event String:

            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.

         A warning event occurred.  EventID: 0x000727A5

            Time Generated: 02/05/2020   15:21:22

            Event String:

            The WinRM service is not listening for WS-Management requests. 


         A warning event occurred.  EventID: 0x80040020

            Time Generated: 02/05/2020   15:22:20

            Event String:

            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.

         A warning event occurred.  EventID: 0x80040020

            Time Generated: 02/05/2020   15:22:20

            Event String:

            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.

         A warning event occurred.  EventID: 0x80040020

            Time Generated: 02/05/2020   15:22:20

            Event String:

            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.

         An error event occurred.  EventID: 0x0000168E

            Time Generated: 02/05/2020   15:22:54

            Event String:

            The dynamic registration of the DNS record '89d723f5-4355-4bc2-9854-705d364a2abf._msdcs.NY.domain. 600 IN CNAME OSTDC.NY.domain.' failed on the following DNS server:  


         An error event occurred.  EventID: 0x00002710

            Time Generated: 02/05/2020   15:23:00

            Event String:

            Unable to start a DCOM Server: {9C38ED61-D565-4728-AEEE-C80952F0ECDE}. The error:


         An error event occurred.  EventID: 0xC0001B61

            Time Generated: 02/05/2020   15:23:10

            Event String:

            A timeout was reached (30000 milliseconds) while waiting for the ADWS service to connect.

         An error event occurred.  EventID: 0xC0001B58

            Time Generated: 02/05/2020   15:23:10

            Event String:

            The ADWS service failed to start due to the following error: 


         An error event occurred.  EventID: 0xC0001B61

            Time Generated: 02/05/2020   15:23:11

            Event String:

            A timeout was reached (30000 milliseconds) while waiting for the Windows Agent Service service to connect.

         An error event occurred.  EventID: 0xC0001B58

            Time Generated: 02/05/2020   15:23:11

            Event String:

            The Windows Agent Service service failed to start due to the following error: 


         A warning event occurred.  EventID: 0x00001796

            Time Generated: 02/05/2020   15:27:36

            Event String:

            Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.


         A warning event occurred.  EventID: 0x00001695

            Time Generated: 02/05/2020   16:07:17

            Event String:

            Dynamic registration or deletion of one or more DNS records associated with DNS domain 'NY.domain.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).  


         ......................... OSTDC failed test SystemLog

      Starting test: VerifyReferences

         ......................... OSTDC passed test VerifyReferences

   
   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : ost-ny

      Starting test: CheckSDRefDom

         ......................... ost-ny passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ost-ny passed test CrossRefValidation

   
   Running enterprise tests on : NY.domain

      Starting test: LocatorCheck

         ......................... NY.domain passed test

         LocatorCheck

      Starting test: Intersite

         ......................... NY.domain passed test

         Intersite

Problem: Windows 2012 Server Hyper-V VM slowly has a delay in name resolution both internal and external. Example: If I ping office.com, or the local DC there is a delay of about 12 seconds before responding. If I ping the ip addressee directly the response is immediate. I first thought it is a dns problem however, nslookup resolves any request instantly. I also tried making host table entries which also are delayed. Rebooting tends to resolve the issue but the delay time slowly builds up to a point where Outlook will time out when connecting. This results in RDS users not being able to connect to Office365 Exchange server impacting business.

The environment is a VM Running on a Windows 2016 Hypervisor with 4 onboard gigabit network ports teamed to a single dynamic network card. 

Hi all,

I've demoted several 2003 Servers during the last few months in our customer AD, moved subnets and succesfully deleted sites under ADSS.

So far, so good, but in DNS I can still see entries under _sites and nameserver domain properties tab.

As per the nameserver domain tab, I think they can be deleted as they are unreacheable/unresolvable records, I still got confused though by the _sites entries as some of them are not showing up and some others are still there and they has an entry under _tcp that point at a DC that has never belonged to the sites in object, but has some FSMO rules.

Some interesting points: 

• repadmin /replsummary doesn't shows any old DC entry
• the old DCs are now member servers

I'm somewhat new to advanced DNS management, How I can safely go further from here?

Thanks

I just noticed that machines we recently un-joined from the domain still show up in our 2012R2 AD.

The icons do have a down arrow next to them which indicates that the computer accounts are inactive but I have never noticed this before.

Is this by design - delay pending a purge - or do I have a misconfiguration somewhere?

Thanks >> Joe

Hi

is there a possiblity to create GPO to enable WOL for clients in the domain. i have a SCCM server configured in the domain and there is a possibility through SCCM to enable the WOL , but i want to know if same can be done through GPO. can anyone give me opinion on this.

Roy

Hi ,

I am facing problem with my DC (Windows server 2019) , i get error message when i launch active directory users and computer :

error message :

naming information cannot be located because library not registered .