Hello,

I need more clarity and information on FSP showing in Domain Local groups of Target Domain:

1. What are those objects in Source Domain showing FSP objects as members in Domain Local groups of target domain?

2. Are those objects only belong to members of Domain Local groups AND members of other groups on other domains via existing trusts in source domain.

3. Can we remove all FSP whether it is orphaned or not from Domain Local groups post migration?

Kindly reply specific to above mentioned points.

Thanks

Alex Lee

Hi,

we have problem with one physical Windows Server 2016 - once every couple of  days it's loosing connection with domain controller, after restart everything is going back to normal. 

In the event log there are two events right before loosing connection:

4231 "A request to allocate an ephemeral port number from the global TCP port space has failed due to all such ports being in use.."

Hello,

I've seen articles where it is mentioned that After a successful migration you have to remove Foreign Security Principals  from the domain local groups.

I need to understand and know the reason of the same.

Is this really necessary to remove Foreign Security Principals from domain local groups post migration? Shall it be considered as post migration activity or task?

What are side effects or is there any impact if not doing so?

G-ONE

Howdy fellas, hope all are well!

I'm in charge of migrating a 20+ SAMBA AD based directory w/several sites to a "real" AD based on Server 2019. Several SSO / O365 / MfA solutions should be used thus x-ing out the SAMBA 4 AD.

I did already join a W2k8R2 DC to the AD (2016 / 2019 can't be use - SAMBA doesn't know wmi).
I know that SAMBA won't do any SYSVOL replication

AD replication works

DNS is working

"rid set" is  available

Sysvol ready = 1 on the 2k8r2 (net share displays "sysvol" and "netlogon" shares)

Next part is to set up the "SYSVOL Subscription" in AD - the diverse tech-net / doc articles are dealing with broken sysvol replications. in my case it's not broken - it never was available.

How could I set up an entry from scratch?

grtNx from Europe

Harry

Hello,

I have a situation that seems a bit unique and all of the information I have found online doesn't quite match up to my scenario. 

I have two DC's server.domain1.local andserver.domain2.local when both domains are functioning normally by themselves, but I am trying to create a trust between the two. It would seem since they are both called server they cannot communicate even though they have different FQDN's. 

When trying to create the trust I get an error "There are no logon servers available" I get the same error when trying to UNC from one to the other.

I did create the conditional forwarders before creating the trust, and want to point out that they are connected via VPN and as far as I can tell from the traffic log the VPN Firewall isn't blocking any traffic. I also turned off thewindows firewall temporarily as a test to see if that was the issue.

Any help would be appreciated.

Thanks

Hi everyone,

The domain account lockout issue has been continued for few month, but i have yet to found any solution, appreciate if anyone can provide me some feedback on this.

Our work from home user, login laptop using local account to work from home, for me there's no account lockout issue, however the account lockout issue has been happening to few of our user. not sure why this is keep happening to few of the user.

Here are the thing user need to enter in order to WFH:-

Local account: .\eric

Password: local account password

Login VPN: eric

Password: window domain password

Then connect skype for business: eric@contonso.onmicrosoft.com

Outlook: eric@contonso.com

password: window domain password (outlook will prompt for password everytime user open outlook)

I have also created .bat file for user to connect network drive so that there's no saved credential.

the batch file to connect are as below:-

net use Z: \\Shareserver /persistent:yes

pause

Troubleshot step taken:-

Clearer credential manager

Removed share drive connection

Removed skype for business

But the problem still persist for the user, but for my own account i did not face such issue.

Any one ?

Much appreciate.

Thanks.

Hi All,

How to add Division field in Active directory under Organization Tab

We have three domain controllers. One of them consistently has slower logon times than the other 2. I ran

nltest /server:testworkstation /SC_Reset:Domain\DC1 three times to change my testworkstation's DC to each one of the three, then ran

nltest /dsgetdc:domain

Here are results:

DC1 (server 2016): Flags: GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS DS_8 DS_9 DS_100x20000

DC2 (server 2012): Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS DS_8 DS_9

DC3 (server 2019): Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS DS_8 DS_9 DS_10

DC2 and DC3 have DHCP servers on them. DC1 and DC2 have DNS on them. DC1 is the slow logon one.

What does 0x20000 mean in the flag list? I can't find an official Microsoft Doc list that says what all possible flags and their meanings are for nltest. The most recent help doc I can find for nltest is from Server 2012, even.

Thanks for any advice you can provide.

Hi,

We have a high amount of logon failures from a user account that belongs to a former employee.

It seems the credentials is being used in an email app from an Android device as we can see in the Exchange servers logs.

The user account is disabled but that doesn't avoid the logon attempt.

Is there any possibility to reject that kind of user logon attempts?

We're somewhat afraid of the DCs resources depletion.

Thank you. 

Hi all;

If I enforce replicating Active Directory changes by using Sites and Services console (like the figure below), does it include replicating SYSVOL folder contents (if it depends on DFS-R)?

Thanks

Please VOTE as HELPFUL if the post helps you and remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Is there any documentation available for designing a DR solution for AD or designing an effective offline backup for AD?

Also, i need some help on some artifacts on effective AD Governance and reporting. Can anyone point me to some good documentation please. Appreciate any help.

Pallab Chakraborty

Hi,

I was trying to migrate my old WIndows Server 2008 32 bit OS to new OS Windows Server 2019, but apparently it was not possible.

My exchange server 2007 was my copy of my old domain controller still intact but unable to connect to my newly renamed DC server.

My existing Active directory server was roles for the below.

1. CA server
2. Active directory domain services
3. Network policy server
4. Web Server
5. File Server
6. DNS Server

For the migration, below were the steps i did

1. Add 2 domain controller to the existing active directory pool for replication and failover (one windows Server 2012, one is Windows Server 2019 to migrate - during the migration stage, im getting a lot of DNS issue, but i kept persist it and it worked (tried many times of ipconfig /flushdns & ipconfig /registerdns, took a few tries)
2. Successfully added 2 domain controller into the pool and replicated (but the DNS server needed to be manually replicated)
3. Backup CA cert, policies & SYSVOL folder, Did DC Promo.exe the old server, remove CA server then proceeded with the removal of DC server, then change the IP address and domain name of the server

Replication status of the server at that time unknown. I proceeded with the switchover, initially there was already error, but didn't know where to start. I started changing one of the server back to the old server name & IP address, the second server which was added to the DC pool was demoted, and this is where all hell broke loose. The problems became nightmare for me

In my attempt to get the 1st DC server which I replicated, below were the errors found.

C:\Users\pcsb002pg>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = adserver
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\ADSERVER2
      Starting test: Connectivity
         ......................... ADSERVER2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\ADSERVER2
      Starting test: Advertising
         Fatal Error:DsGetDcName (ADSERVER2) call failed, error 1722
         The Locator could not find the server.
         ......................... ADSERVER2 failed test Advertising
      Starting test: FrsEvent
         ......................... ADSERVER2 passed test FrsEvent
      Starting test: DFSREvent
         The event log DFS Replication on server ADServer2.pcsb.local could not
         be queried, error 0x721 "A security package specific error occurred."
         ......................... ADSERVER2 failed test DFSREvent
      Starting test: SysVolCheck
         [ADSERVER2] An net use or LsaPolicy operation failed with error 64,
         The specified network name is no longer available..
         ......................... ADSERVER2 failed test SysVolCheck
      Starting test: KccEvent
         The event log Directory Service on server ADServer2.pcsb.local could
         not be queried, error 0x721"A security package specific error occurred."
         ......................... ADSERVER2 failed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... ADSERVER2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         Could not open pipe with [ADSERVER2]:failed with 64:
         The specified network name is no longer available.
         Could not get NetBIOSDomainName
         Failed can not test for HOST SPN
         Failed can not test for HOST SPN
         ......................... ADSERVER2 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... ADSERVER2 passed test NCSecDesc
      Starting test: NetLogons
         [ADSERVER2] An net use or LsaPolicy operation failed with error 64,
         The specified network name is no longer available..
         ......................... ADSERVER2 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... ADSERVER2 passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: DC=ForestDnsZones,DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:29:03.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: DC=DomainDnsZones,DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:29:06.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: CN=Schema,CN=Configuration,DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:28:45.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: CN=Configuration,DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:34:34.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         [Replications Check,ADSERVER2] A recent replication attempt failed:
            From EXCHANGE to ADSERVER2
            Naming Context: DC=pcsb,DC=local
            The replication generated an error (1908):
            Could not find the domain controller for this domain.
            The failure occurred at 2020-03-17 00:01:12.
            The last success occurred at 2020-03-16 22:35:25.
            5 failures have occurred since the last success.
            Kerberos Error.
            A KDC was not found to authenticate the call.
            Check that sufficient domain controllers are available.
         ......................... ADSERVER2 failed test Replications
      Starting test: RidManager
         ......................... ADSERVER2 passed test RidManager
      Starting test: Services
         Could not open Remote ipc to [ADServer2.pcsb.local]: error 0x40"The specified network name is no longer available."
         ......................... ADSERVER2 failed test Services
      Starting test: SystemLog
         The event log System on server ADServer2.pcsb.local could not be
         queried, error 0x721 "A security package specific error occurred."
         ......................... ADSERVER2 failed test SystemLog
      Starting test: VerifyReferences
         ......................... ADSERVER2 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : pcsb
      Starting test: CheckSDRefDom
         ......................... pcsb passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... pcsb passed test CrossRefValidation

   Running enterprise tests on : pcsb.local
      Starting test: LocatorCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1722
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1722
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1722
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
         1722
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1722
         A KDC could not be located - All the KDCs are down.
         ......................... pcsb.local failed test LocatorCheck
      Starting test: Intersite
         ......................... pcsb.local passed test Intersite

C:\Users\pcsb002pg>

The above is my DCdiag diagnostics.

I also noticed my DNS is quite screwed.

I'm so stuck and don't know what to do and where to start. My whole office is gonna come after me tomorrow.

I have roughly 25 staffs i the office, with exchange server & some other applications such as firewall, Lyncserver & network drivers require active directory to connect.

Please help me. 

I have a lot of the following event for multiple user

--------------------------------------------------

-------------------------------

The problem with this is that the account lockout policy cannot be applied because user accounts that display this behavior are immediately locked out.

Will you have some reference in this regard?

There are many post on how to change the service account by using the following script:

ADFS3.xChangeSvcAcct.ps1
https://gallery.technet.microsoft.com/scriptcenter/Active-Directory-ddb67df0#content
However, what I do not think is clear is how to proceed when you have a Web Proxy.
The script talks about primary and secondaries. If I understand correctly, you first update on the secondary servers,
and then you move to the primary.
But does the ADFS Proxy is considered a secondary? If not, once I run the script on the primary server, how do I update
the service account on the Proxy?
Has anybody gone through this scenario?
Thanks

My team recently made the decision to enforce the use of digital email signing, and offering at least for internal purposes the option of email encryption.

We will be purchasing S/MIME certificates from one of the top 3 globally trusted certificate service providers, whereby the CSR will be generated by my team, and therefor will end-up with roughly 150 PFX files, 1 for every mail address used and defined on our Office 365 environment. This way we can also support certificate and key-roll over as we as the IT team generated the CSR and not relying on the end-user (device) to create it.

We make use of a local AD that syncs to AAD.

Me and my team know how to manually install the certificate for a user, and we know how to manually configure Outlook for Windows (most commonly used). We also understand how to automatically get a certificate from ADCS to a domain joined end-point.

My first question is:

How do I import these 150 PFX files and their relevant passwords in such a way that these certificates and keys are automatically pushed to every relevant user who makes use of a domain joined (Windows) device?

My second question is:

Is there a way, that enables automated configuration of Outlook, so that Outlook by default always digitally signs new and reply emails, and optionally allows for encryption to target recipients, using the installed/pushed S/MIME certificate?

Hi there,

strange issue since a few days. Result of 'dcdiag /e /q'

Although the Guid DNS name (10f02f39-2583-8919-da86-2a28687f088a._msdcs.lab.de) resolved to the IP address
(10.10.1.8), which could not be pinged, the server name (LABSRV01.test.lab.de) resolved to the IP address
(10.10.2.9) and could be pinged. Check that the IP address is registered correctly with the DNS server.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... LABSRV01 failed test Connectivity

When I nslookup the Guid DNS Name

nslookup 10f02f39-2583-8919-da86-2a28687f088a._msdcs.lab.de
Server: labdc01.lab.de
Address: 10.10.2.1

Name: LABSRV01.test.lab.de
Address: 10.10.2.9
Aliases: 10f02f39-2583-8919-da86-2a28687f088a._msdcs.lab.de

The DNS PTR record is fine and holds the right IP address. Why does DCDIAG ignore this PTR record and resolves/uses a wrong IP address?

Thanks and regards

Hi,

I wanted to know what is the name and ID of an event which is logged on a computer when its trust with the AD breaks.

I want to monitor this event in SCOM so that we can fix it ASAP and it doesn't impact the website which is hosted on this computer.