I am unable to remove a dc from a child domain in AD as I am getting this error:

Active Directory Domain Services could not transfer the remaining data in directory partition DC=DomainDnsZones,DC=child,DC=parent,DC=root,DC=com to
Active Directory Domain Controller \\servername

"The naming context could not be found."

I have followed the instructions in this article (http://blogs.technet.com/b/the_9z_by_chris_davis/archive/2011/12/20/forestdnszones-or-domaindnszones-fsmo-says-the-role-owner-attribute-could-not-be-read.aspx) and sure enough there is an old decommissioned server listed as the fsmo owner of domaindnszones. So I am trying to run the fixfsmo.vbs script to fix this. However, I cannot get it to run. Every time I get the error:

C:\fixfsmo.vbs(19, 5) (null): The specified domain either does not exist or could not be contacted.

I am currently logged on to the infrastructure master for this domain and I am using the syntax: cscript fixfsmo.vbs dc=domaindnszones,dc=domain,dc=parent,dc=root,dc=com

I am able to browse this partition in both ADSI Edit and DNS so I am completely stuck as to why it is unable to see the domain. I have tried logging on as a domain admin in the child domain and an enterprise admin from the root domain but neither seems to work.

Any help would be appreciated!

What is the correct way to Pre-stage computers accounts before joining to domain?

When we Pre-stage the computer account in AD and then try to join that computer to domain,  it will try to create the computer account in AD whereas the computer account is already there in AD ( since we Pre-staged) it. Then will it not give us error, while joining the server to domain?

If not what exactly we do in Pre-staging other than just creating the computer account?

Hello Everyone,

This is regarding AD Replication, I know what is Multimaster Replication is.

but I wish to know How Any Changes made within same time will work or will be in place.

Suppose In the same Domain Two Administrators logged on to Two different Servers and try to create New User at the Same time ? what will happen in this scenario ?

Or Two Admins try to Edit the User object at the same time ? which change will be in place

TheAtulA

Dear All,

I need to migrate Active directory from 2008r2 standard to 2012r2 standard in Hyper-v of 2012r2 standard server.

I have created two  virtual Machines in hyper-v and one new private virtual switch and connect both virtual Machines to that switch.

VM1-2008R2-IP: 192.168.2.2

VM2-2012R2-IP: 192.168.2.1

                    dns: 192.168.2.2

Both machines are pinging to each other.and they are on the same network.

previously 2008r2 domain server was on diifferent network and its ip was 192.168.1.206. it was migrated from 2003 server

2008r2 is still working on dedicated physical machine on the subnet of 192.168.1..... .  I created the VHDX file of server and run on hyper-v.

I have also created new zone of 192.168.2... network and also created  new pointer to 192.168.2.2 in reverse lookup zones.

when i tried to join 2012r2 server which is installed in physical machine to existing domain on network of 192.168.1..... . it joined but on hyper-v with different network  it shows error: can not complete this funtion.

Please help and suggest me. What should i do to reslove this error.

can any one help me on this.

My customer reported an issue today that the AD Display Names have been overwritten with the one from HR. The HR Display Name wasn't maintained , while it was maintained in AD. Now people are seeing the HR display name and this is not the name they would want to show.

Any idea how to fix this issue.

Thanks

Pallab Chakraborty

Good morning,

I have a problem with synchronization between our on-prem testing AD and Azure AD. We used password hash synchronization from our on-prem testing AD to our tenant in the past. Everything was working, but we wanted change PHS to ADFS. For this scenario we have prepared new AD domain. So, I stopped synchronization of the testing domain and uninstall Azure AD Connect. Three days before I installed Azure AD Connect to the new AD domain and configured it for ADFS. The wizard was succesfully finished, ADFS and WAP servers were configured. Now, when I connect to the Microsoft 365 admin center, I see error message: Directory sync: last synced more than 3 days ago. In Health - Directory Sync Status, I can see the same error and in item "Directory sync service account" is bad account, which doesn't exists. Azure AD Connect created during installation and configuration another account. Can I change the sync service account to the existing? Thank you very much for your advice.

Jaroslav Vacek

Czech republic

Hi,

This is with regards to Microsoft Advisory:

[VULNERABILITY ADVISORY] Microsoft Security Advisory ADV190023 Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing

Thus this mean implement either signing for windows client and servers or implement ldaps?

Applications using ldap are mixed, windows, Linux and other appliance.

Thanks!

Hello,

I am trying to monitor changes to AD users, but I can't seem to find the event ID that generates when a change to User's job title/manager is made. If anyone knows which event ID monitors this, please share.

I have tested 4738 and several others but they don't seem to generate any events even after enabling the audit policies that are user account related.

Thanks

I was assigned as IT advisor to work with the IT guys here at the office. I'd asked to him to create a planning to implementing the active directory here at the office, to login with personal credentials and he told me he won't do it.  I just need to have a planning to implement the active directory on a windows server 2012 R2, the system requirements, desktop's operation systems (we have a mix of windows home and enterprise in 18 desktops). 

 Can you point me on the right direction?

Cheers, 

Dario Prada

We have number of users logged in through local admin users need to force them to use the domain accounts.

your response to below queries will be appreciated:

1. There are multiple local admin accounts in machines with different names so how to disable all of them except the "Administrator"?

2. Is there a way to move/copy the files in local admin accounts profiles to the other drives through scripts etc?

(we don't have SCCM/SCOM in place)

our organization in process of implementing LAPS solution but there are few things need to be cleared:

- Is there possibility of setting password of all local admin accounts or LAPS only limited to the "Administrator" account only? So what's other ways to put the password on different users with Administrator access?

- What is easiest way to deploy LAPS agent on client computers? as we tested on some computers through GPO it asks computers to reset.

Hello All,

I have a network that was upgrading their Exchange to the latest CU 15. During the upgrade the process stopped around 98%.  They rebooted the servers(Exchange 2016, PDC running CA and a secondary DC running DNS) and when they came back up there were major issues. The first and foremost is(I think) an RPC error 1722 between the PDC and the secondary DC. I have run all the dcdiag tests along with dtcping and each shows the RPC error 1722. This is where it gets interesting. Most of the tests will come back that they have passed(except for the 1722 error). After digging into the system for the day I found that the security settings for the secondary as well as the primary DNS servers are showing SIDs for about half of their accounts.  The on site Enterprise CA is not working with RPC server unavailable errors. The on-premise Exchange 2016 server will not boot due to this issue either. Under Server manager when trying to access the other DC I receive"target not accessible" error message. There are DCOM 10028 errors about connecting to the other servers(unable to communicate using any of the configured protocols). It looks like the DC1(which is the PDC-Em) holds the RID/PDC/Infra roles(according to itself) when looked at from the ADU&C snap-in. On DC2 it shows unknown for each. 

1: the last event viewer entries show DC 1&2 that Active directory Web Service is servicing the directory instance as GC, LDAP & SSL.

2: DFSR is showing 1727 on each DC. It reported that the last time it worked was about noon today.

3: Port Query shows port 135 (epmap) listening on both servers. It lists 120+ endpoints for each server.
4: DNS was/is signed. I can remove from DC1 dns and reapply, but not from DC2(I tried to remove and transfer the Key Master role to no avail. 

5: I have tried to reset the machine and user account passwords.

What am I missing???

Devin

Hi,

We want prevent domain administrators to connect on workstation due to security reason.

how we can prevent domain administrators to access on workstation?

I'm having an interesting issue...  As the title states, in File Explorer I am able to access network PCs via ComputerName, but cannot access them via IP Address.  This issue only occurs while I'm logged in as a Domain Admin.  If I am logged in as a local admin, I am able to access all network PCs by both methods.  All PCs have static IP addresses and are joined to the domain.  Listed below are two scenarios for attempted to connect to other network PC's via file explorer.  In both scenarios I am logged into PC "GenPurp" with a domain admin account.  GenPurp has a static IP address of 192.206.233.70 and is joined to the domain. 

Scenario 1:

In the address bar of file explorer I type "\\192.206.233.51" and press enter (this is the static IP for our "Console" PC).  I receive the following error message:

"\\192.206.233.51 is not accessible.  You might not have permission to use this network resource.  Contact the administrator of this server to find out if you have access permissions.

Account restrictions are preventing this user from signing in.  For example: Blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced."

Scenario 2:

In the address bar of file explorer I type "\\192.206.233.51\c$".  I receive the following error message:

"Windows cannot access \\192.206.233.51\c$.  Check the spelling of the name.  Otherwise there might be a problem with your network.  To try to identify and resolve network problems, click Diagnose."

There is a drop down section for "See Details" that shows Error code: 0x80004005, unspecified error.   When I click Diagnose, the troubleshooter cannot identify a problem. 

When I am logged in as a Local Admin, I am able to successfully navigate to the Console PC at 192.206.233.51 without issue.  

I am able to connect to all network PC's while logged in as a domain admin and using the \\ComputerName or \\ComputerName\c$ formats. 

Note:  This issue happens with ALL PCs on the domain.  It doesn't matter what PC I am logged into, or which PC I am attempting to connect to, I get the same result. 

Dear all,

I have two Windows Server 2003 as Domain controllers with replication working very well, as they are old, i decided to upgrade them to Windows 2016 Server by creating two new windows server 2016 machine and add them into the domain as domain controller (upgrade forest functionnal level from 2003 to 2008)

For now, 2003 server are still serving and replicating to Windows 2016 servers, so now i have 4 domain controllers.The FSMO roles are still spread accross the two 2003 DCs, so the 2016 DCs are just here but that's all.

I have an RDS server which is hosting some apps, and i had the following issue, which is now solved (https://www.mysysadmintips.com/windows/servers/505-the-remote-desktop-license-server-cannot-update-event-4105).

Another issue is now present and i have problems regarding solving it.

That issue is that users who wants to log to the RDS app obtain an "acces denied" when trying to login.

If i disconnect the two 2016 DCs, the RDS login is working....

Do somebody have any idea about that issue ?Is there a version problem ?2K16 not compatible with  RDS servers which are 2008 R2.. ?I'm totally stuck :(

Many thanks at all for your help !

Hello Everyone

We have active directory environment with internal DNS setup in our environment. 

As per security recommendation, we need to block internet access in our active directory servers.

Requesting your kind inputs on what perquisites/settings I need to validate before blocking internet access to ensure none of the related services gets impacted.

Thank You

TL;DR I'd like to understand why some LDAP queries take membership of the Pre-Windows 2000 Compatible Access group into account and some do not. What is it exactly that makes AD decide to let permissions for this group take effect or ignore it?

Longer version:

If I have the following scenario:

• A domain with Anonymous Logon added as a member of the Pre-Windows 2000 Compatible Access group.
• A user account (User A) that has permissions on it set to allow Anonymous Logon to read all properties.
• Another user account (User B) that does not have any permissions explicitly granted to Anonymous Logon, but does allow the Pre-Windows 2000 Compat group to read all properties.

If I run an anonymous LDAP query with Ldp.exe (or other tools that allow anonymous LDAP query like Softerra LDAP Browser), it finds User A as expected but itdoes not find User B even though Anonymous Logon is a member of the group that does have permission to read that account.

You might think maybe this Pre-Windows 2000 group just doesn't get used in any way and can be ignored, but I found a script that performs an LDAP query anddoes find User B as long as Anonymous Logon is a member of the Pre-2000 group!

The script is part of Impacket and only finds users that have the "no kerberos pre auth" option set, but that's kind of irrelevant to this issue. You can find it here: https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_20/examples/GetNPUsers.py

By stepping through the script in a debugger and looking at LDAP traffic in Wireshark, I can see that it does actually use NTLM authentication even though I'm not supplying any credentials and running it from a non domain machine. Yet if I try and do NTLM bind in Ldp.exe without entering a username it just says authentication failed.

So yeah I'm very confused by all of this and wondering if anyone can shed any light on why AD is sometimes taking the Anonymous Logon's membership of Pre-2000 group into account and sometimes not.

Problem: Windows 2012 Server Hyper-V VM slowly has a delay in name resolution both internal and external. Example: If I ping office.com, or the local DC there is a delay of about 12 seconds before responding. If I ping the ip addressee directly the response is immediate. I first thought it is a dns problem however, nslookup resolves any request instantly. I also tried making host table entries which also are delayed. Rebooting tends to resolve the issue but the delay time slowly builds up to a point where Outlook will time out when connecting. This results in RDS users not being able to connect to Office365 Exchange server impacting business.

The environment is a VM Running on a Windows 2016 Hypervisor with 4 onboard gigabit network ports teamed to a single dynamic network card. 

Hello all,

I have inherited a Server 2012 Essentials environment at a customer's, and I am currently trying to migrate to Server 2019 Standard. From all I read it should be a normal procedure except for leaving the FSMO roles up to the last minute. I checked that sysvol replication was on DFSR and then introduced the new DC. Regular AD replication is fine (repadmin reports all DCs up to date). However, sysvol was not being replicated and I went to check deeper.

SYSVOL looks complete, junction points are good, state of DFSRMIG is "eliminated" so DFSR should be used. Now the new DC is waiting for initial sync, and the old DC shows no errors, but it seems the sysvol folder is simply not a known replicated folder on that system.

As sysvol is basically healthy, I did a backup of the files and tried the steps in this article: 

https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo

wmic /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state

on the old DC (of course after reverting the ADSI changes) I get "No instance(s) available". I found that this problem can occur when the DFSR database is corrupt after disk problems, but neither have I found any indication of this (there should be a warning 2213 or such in the event logs, but there isn't) nor am I able to "ResumeReplication" on any of the GUIDs I found in the DFSR config (in System Volume Information). I tried the folder GUID, the replication group GUID as well as the volume GUID, but each attempt only reports "no instances available".

Further checking the DFSR config files is seems as though the Replication group is known, I can also see it in the DFSR console. Running a health report there I get the message which basically says the same as "no instances available", namely that the folder is not in a replicated state on the original DC.

Now I am faced with a decision to either try to repair the state of the original DC or (without being sure this is possible) force the new DC to just skip initial sync and let me seed the sysvol manually. So I have two questions and I really hope anyone can help me out here.

1. Is there any obvious solution I am missing in my attempt to repair the DFSR on the old DC?

2. Can I force the new DC to skip initial sync by making it authoritative? Then just copy the sysvol contents where they belong? Has anyone tried this on a completely new DC? I am wondering about the implications here and how to go about sharing the SYSVOL and NETLOGON as those are not shared right now, of course.

Thanks everyone in advance!

Claudia