Hi Team,

I have some doubts in the AD 2019 user account lock out issue.

I have two user say user1 and user2 in AD with account lockout settings of 3 wrong password.

• user1 tries to login with wrong password 2 times.
• then user2 login with correct credentials and log out.
• again user1 tries to login 2 times with wrong password(Totally 4 times wrong password)
• still no account lock out for user1

The account lock out will happen if it exceeds 3 times consecutively. That is in a single attempt.

If any other user logged in the middle means , the previous count of wrong password is getting reset.

Could you please confirm on this behavior, also if possible please share official link to understand it properly.

Thanks in Advance.

Regards,

Venkadesh

Hi,

we are facing a authentication issue to access on application using keytab file after a password reset of a service account.

Do you have any idea to resolve this issue ?  

Hi,

We are looking to raise our domain and forest functional level from Windows 2008 R2 to Windows 2016 once the upgrade of our domain controllers is completed.

What's the impact if we raise the functional level from Windows 2008 R2 to Windows 2016 ?

Hi,

I am on the stage of creating a list of steps in patching Active Directory (VM's). Can you guys help me with a list that I MUST check after patching AD?

Regards,

Richard

Hi,

Is it possible to Export Users with OU and Description information from an AD Group?

Thanks.

Hi Team,

I want to deploy wifi authentication with Active Directory, below the information.

1. WiFi authentication from Active Directory.

2. I will time mention ( will remain connected 2 or 3 hr) then will auto disconnect.

3. Need networking presentation details.

We need  to  work  out   active  design considerations     for  new    setup  where  in   Company   wants  to  have     DC  and ADC in  DataCenter  and  implementing  SD/WAN to  connect across  branch  locations   

previously there  was no centralized  authentication  methods in place.

Company  doesn't need     read/write  DC on  branches   only   RODC  , just wondering   if we must have  one   RODC  per   site/branch   ,  if  RODC   goes   down  how will logon/dns  resolution  work,    do we need  to define  logical sites  /replication ?

File  and Print servers  will be local to each branch

IP allocation configuration /DHCP?  still   to be decided

from active  directory design perpective  do we need  tohave different IP subnets    foreach branch

Hi,

I was trying to migrate my old WIndows Server 2008 32 bit OS to new OS Windows Server 2019, but apparently it was not possible.

My exchange server 2007 was my copy of my old domain controller still intact but unable to connect to my newly renamed DC server.

My existing Active directory server was roles for the below.

1. CA server
2. Active directory domain services
3. Network policy server
4. Web Server
5. File Server
6. DNS Server

For the migration, below were the steps i did

1. Add 2 domain controller to the existing active directory pool for replication and failover (one windows Server 2012, one is Windows Server 2019 to migrate - during the migration stage, im getting a lot of DNS issue, but i kept persist it and it worked (tried many times of ipconfig /flushdns & ipconfig /registerdns, took a few tries)
2. Successfully added 2 domain controller into the pool and replicated (but the DNS server needed to be manually replicated)
3. Backup CA cert, policies & SYSVOL folder, Did DC Promo.exe the old server, remove CA server then proceeded with the removal of DC server, then change the IP address and domain name of the server

Replication status of the server at that time unknown. I proceeded with the switchover, initially there was already error, but didn't know where to start. I started changing one of the server back to the old server name & IP address, the second server which was added to the DC pool was demoted, and this is where all hell broke loose. The problems became nightmare for me

In my attempt to get the 1st DC server which I replicated, below were the errors found.

C:\Users\pcsb002pg>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = adserver
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\ADSERVER2
      Starting test: Connectivity
         ......................... ADSERVER2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\ADSERVER2
      Starting test: Advertising
         Fatal Error:DsGetDcName (ADSERVER2) call failed, error 1722
         The Locator could not find the server.
         ......................... ADSERVER2 failed test Advertising
      Starting test: FrsEvent
         ......................... ADSERVER2 passed test FrsEvent
      Starting test: DFSREvent
         The event log DFS Replication on server ADServer2.pcsb.local could not
         be queried, error 0x721 "A security package specific error occurred."
         ......................... ADSERVER2 failed test DFSREvent
      Starting test: SysVolCheck
         [ADSERVER2] An net use or LsaPolicy operation failed with error 64,
         The specified network name is no longer available..
         ......................... ADSERVER2 failed test SysVolCheck
      Starting test: KccEvent
         The event log Directory Service on server ADServer2.pcsb.local could
         not be queried, error 0x721"A security package specific error occurred."
         ......................... ADSERVER2 failed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... ADSERVER2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         Could not open pipe with [ADSERVER2]:failed with 64:
         The specified network name is no longer available.
         Could not get NetBIOSDomainName
         Failed can not test for HOST SPN
         Failed can not test for HOST SPN
         ......................... ADSERVER2 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... ADSERVER2 passed test NCSecDesc
      Starting test: NetLogons
         [ADSERVER2] An net use or LsaPolicy operation failed with error 64,
         The specified network name is no longer available..
         ......................... ADSERVER2 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... ADSERVER2 passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: DC=ForestDnsZones,DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:29:03.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: DC=DomainDnsZones,DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:29:06.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: CN=Schema,CN=Configuration,DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:28:45.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: CN=Configuration,DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:34:34.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:35:25.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         ......................... ADSERVER2 failed test Replications
      Starting test: RidManager
         ......................... ADSERVER2 passed test RidManager
      Starting test: Services
         Could not open Remote ipc to [ADServer2.pcsb.local]: error 0x40"The specified network name is no longer available."
         ......................... ADSERVER2 failed test Services
      Starting test: SystemLog
         The event log System on server ADServer2.pcsb.local could not be
         queried, error 0x721 "A security package specific error occurred."
         ......................... ADSERVER2 failed test SystemLog
      Starting test: VerifyReferences
         ......................... ADSERVER2 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : pcsb
      Starting test: CheckSDRefDom
         ......................... pcsb passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... pcsb passed test CrossRefValidation

   Running enterprise tests on : pcsb.local
      Starting test: LocatorCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1722
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1722
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1722
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
         1722
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1722
         A KDC could not be located - All the KDCs are down.
         ......................... pcsb.local failed test LocatorCheck
      Starting test: Intersite
         ......................... pcsb.local passed test Intersite

C:\Users\pcsb002pg>

The above is my DCdiag diagnostics.

I also noticed my DNS is quite screwed.

I'm so stuck and don't know what to do and where to start. My whole office is gonna come after me tomorrow.

I have roughly 25 staffs i the office, with exchange server & some other applications such as firewall, Lyncserver & network drivers require active directory to connect.

Please help me. 

Dear TechNet Members

In our environment currently we have windows server 2008 R2 Active directory 3 DC at Head Office and 2 Domain Controller at DR site As per Microsoft End of support and End of Life we are planning to upgrade our DC's to Windows Server 2016 or Windows Server 2019

I need expert advice for the migration as I have my ROOT DC as on Physical IBM Blade.

I have below concerns

1. We have ROOT CA on Additional Domain controller

2. We have many application which still doesn't support TLS 1.2

3. Currently We are using Exchange Server 2013 CU 23 in our environment

4. We have 1000 plus users inside our Organization

5. Currently We are using SCCM and SCOM 2016 

6. Symantec Enterprise Vault 12.3 & Symantec NetBackup as Backup Solution

7. Some Applications are directly connected to ROOT DC with ROOT DC DNS Name and its point of concerns for us. 

I need some expert advise prior to migration so I will not miss out any point during the Migration as its very critical task for the organization.

Hi

My AD doesn't refresh my computers name. Still showing old computers name. How I can refresh?

Hi,

I built a server 2019 domain controller. I successfully promoted the server to domain controller. I also built a windows 10 computer to use as a workstation. 

When I try to join the windows 10 computer to the domain I get error :

"An Active Directory Domain controller (AD DC) for the domain "domain" could not be contacted."

DNS was successfully queried for service location (SRV) resource record used to locate a domain controller for domain "domain":

The query was fo SRV record _ldap._tcp.dc._msdcs.domain.com

The following domain controllers were identified by the query:

(no Active Directory Domain Controllers found)

However no domain controllers could be contacted.

Please advice I am trying to build a lap on my laptop and I am using public wifi for connection.

Thanks,

Senait

Hai All,

Is there information related to how much bandwidth needed by each user for authentication to the Domain Controller? I tried searching but could not find it. Please advice.

Thank You

There are threads here in the forums that include statements that computer accounts are not automatically deleted.

Given the number of tools and scripts that look for old/stale computer accounts for deletion this seems to all make sense. Likewise, this would apply to user accounts too. This question does not apply to tombstone objects which I realize have been 'deleted'.

My question is if there is a canonical/authoritative statement from Microsoft stating that (computer or user) accounts are not auto-deleted, e.g. KB article or product documentation?

Thank-you.

Hello Folks,

Can anyone suggest the best practises document for managing Active Directory.

I mean in terms of users, groups and security etc.

Appreciate your feedback, Thanks 

We have configured AD Connect and synced users successfully with O365.

However, the only problem remains is that on AD, we have some disabled users and on O365 their Sign-in Status is still Allowed. This should be blocked for such accounts.

How can we resolve this issue?

Hi Support,

When run the BPA in the Windows 2016 DC, we found one of the DC have many error as below: 

  Issue:
  The Active Directory Domain Services Best Practices Analyzer (AD DS BPA) is not able to collect data about the hostname DNS A/AAAA records from the DNS servers.

  Impact:
  The AD DS BPA will not be able to validate configuration data about the hostname DNS A/AAAA records.

  Resolution:
  Troubleshoot the DNS servers to determine the root cause of the problem.

When check the DirectoryServices_EngineReport, it have this error:
                          <HostNameDnsRecord>
                                            <Error>
                                              <Report>true</Report>
                                              <DataItem>the hostname DNS A/AAAA records</DataItem>
                                              <Computer>the DNS servers</Computer>
                                              <Message>This element requires a valid Server Hostname</Message>
                                              <FullyQualifiedErrorId>This element requires a valid Server Hostname</FullyQualifiedErrorId>
                                              <Exception>
                                                <Type>System.ArgumentException</Type>
                                                <Message>This element requires a valid Server Hostname</Message>
                                                <InnerException>
                                                  <Type>Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException</Type>
                                                  <Message>Cannot find directory server with identity: 'Server$'.</Message>

I checked DNS have the server record. Try to use ntdsutil and the server can be found. The replication on all DC is healthly.

Any idea?

Best Regards

Chong

Hi Experts

We need raise domain functional level of 2003 to 2012 R2, but mi domain controller FSMO is death, is crash.

Is possible move the roles to another domain controller server without this server?

I try move the roles and i see this warnings:



Thank you so much!!

Ing Carlos Pernia.