Hello All,

I've installed Active Directory Certificate Services on Windows Server 2008 R2 Standard Edition several times.  Everything seems to work fine, except that the keyUsage field in the root certificate is set to Critical = No.

Current standard best practice is that the keyUsage field be set to Critical (see RFC5280, where it clearly states:  "When present, conforming CAs SHOULD mark this extension as critical".

I am at a loss as to how to do this.  I can't find any documentation either in the forums or technet or MSDN or google.  I've tried putting the following section in CAPolicy.inf, but it didn't work:

[keyUsage]

Critical=Yes

It tried [keyUsageExtension], but still no luck

I can't find the registry setting or policy setting.

Can someone help?

Hi,

I have 5 DC in 3 different networks (DEV, TST, PRD), all DC are are2012 R2 except PRD-ADV3 that is 2008 R2.

if I run the command Repadmin /replsummary from all DC I receive the error below:

C:\Users\admin>Repadmin /replsummary
Replication Summary Start Time: 2020-04-02 10:24:14

Beginning data collection for replication summary, this may take awhile:
  .........
Source DSA          largest delta    fails/total %%   error
 DEV-ADV1              12m:34s    0 /  15    0
 PRD-ADV1              32m:30s    0 /  20    0
 PRD-ADV2     >60 days            2 /  10   20  (8606) Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.
 PRD-ADV3              33m:17s    0 /  10    0
 TST-ADV1              32m:31s    0 /  10    0
 TST-ADV2              39m:13s    0 /  10    0

This is the result from PRD-DC2

C:\Users\admin>repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Production\PRD-ADV2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx
DSA invocationID: 3090f21b-4ffc-4c65-8b0b-xxxxxxxxxxxx

==== INBOUND NEIGHBORS ======================================

DC=mydomain,DC=local
    Development\DEV-ADV1 via RPC
        DSA object GUID: 07030400-79c8-4f2d-b48a-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 10:11:40 was successful.
    Production\PRD-ADV3 via RPC
        DSA object GUID: 9a69e59f-8385-4634-95a7-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:04:24 was successful.
    Production\PRD-ADV1 via RPC
        DSA object GUID: 061a84d5-db2d-4da0-a2b9-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:06:01 was successful.

CN=Configuration,DC=mydomain,DC=local
    Development\DEV-ADV1 via RPC
        DSA object GUID: 07030400-79c8-4f2d-b48a-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 10:11:40 was successful.
    Production\PRD-ADV1 via RPC
        DSA object GUID: 061a84d5-db2d-4da0-a2b9-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:58:39 was successful.
    Production\PRD-ADV3 via RPC
        DSA object GUID: 9a69e59f-8385-4634-95a7-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:58:45 was successful.

CN=Schema,CN=Configuration,DC=mydomain,DC=local
    Development\DEV-ADV1 via RPC
        DSA object GUID: 07030400-79c8-4f2d-b48a-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 10:11:40 was successful.
    Production\PRD-ADV1 via RPC
        DSA object GUID: 061a84d5-db2d-4da0-a2b9-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:58:39 was successful.
    Production\PRD-ADV3 via RPC
        DSA object GUID: 9a69e59f-8385-4634-95a7-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:58:39 was successful.

DC=DomainDnsZones,DC=mydomain,DC=local
    Development\DEV-ADV1 via RPC
        DSA object GUID: 07030400-79c8-4f2d-b48a-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 10:11:40 was successful.
    Production\PRD-ADV3 via RPC
        DSA object GUID: 9a69e59f-8385-4634-95a7-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:58:39 was successful.
    Production\PRD-ADV1 via RPC
        DSA object GUID: 061a84d5-db2d-4da0-a2b9-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:58:39 was successful.

DC=ForestDnsZones,DC=mydomain,DC=local
    Development\DEV-ADV1 via RPC
        DSA object GUID: 07030400-79c8-4f2d-b48a-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 10:11:40 was successful.
    Production\PRD-ADV1 via RPC
        DSA object GUID: 061a84d5-db2d-4da0-a2b9-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:58:39 was successful.
    Production\PRD-ADV3 via RPC
        DSA object GUID: 9a69e59f-8385-4634-95a7-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:58:39 was successful.

This is from other server (PRD-DC1):

C:\Users\Admin>repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Production\PRD-ADV1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 061a84d5-db2d-4da0-a2b9-xxxxxxxxxxxx
DSA invocationID: 0cd47770-7f80-4672-bd71-7a7743e34c38

==== INBOUND NEIGHBORS ======================================

DC=mydomain,DC=local
    Production\PRD-ADV2 via RPC
        DSA object GUID: fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:51:33 was successful.
    Development\DEV-ADV1 via RPC
        DSA object GUID: 07030400-79c8-4f2d-b48a-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:05:57 was successful.
    Test\TST-ADV1 via RPC
        DSA object GUID: 8951dd52-2a9d-4d79-a2b4-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:05:57 was successful.
    Production\PRD-ADV3 via RPC
        DSA object GUID: 9a69e59f-8385-4634-95a7-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:09:15 was successful.

CN=Configuration,DC=mydomain,DC=local
    Production\PRD-ADV2 via RPC
        DSA object GUID: fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:50:57 failed, result 8606 (0x219e):
            Insufficient attributes were given to create an object. This object
may not exist because it may have been deleted and already garbage collected.
        13955 consecutive failure(s).
        Last success @ 2019-12-06 16:19:54.
    Production\PRD-ADV3 via RPC
        DSA object GUID: 9a69e59f-8385-4634-95a7-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:58:42 was successful.
    Development\DEV-ADV1 via RPC
        DSA object GUID: 07030400-79c8-4f2d-b48a-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:05:57 was successful.
    Test\TST-ADV1 via RPC
        DSA object GUID: 8951dd52-2a9d-4d79-a2b4-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:05:57 was successful.

CN=Schema,CN=Configuration,DC=mydomain,DC=local
    Production\PRD-ADV2 via RPC
        DSA object GUID: fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:50:57 was successful.
    Production\PRD-ADV3 via RPC
        DSA object GUID: 9a69e59f-8385-4634-95a7-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:50:57 was successful.
    Development\DEV-ADV1 via RPC
        DSA object GUID: 07030400-79c8-4f2d-b48a-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:05:57 was successful.
    Test\TST-ADV1 via RPC
        DSA object GUID: 8951dd52-2a9d-4d79-a2b4-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:05:57 was successful.

DC=DomainDnsZones,DC=mydomain,DC=local
    Production\PRD-ADV2 via RPC
        DSA object GUID: fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:50:57 was successful.
    Production\PRD-ADV3 via RPC
        DSA object GUID: 9a69e59f-8385-4634-95a7-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:50:57 was successful.
    Development\DEV-ADV1 via RPC
        DSA object GUID: 07030400-79c8-4f2d-b48a-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:05:57 was successful.
    Test\TST-ADV1 via RPC
        DSA object GUID: 8951dd52-2a9d-4d79-a2b4-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:05:57 was successful.

DC=ForestDnsZones,DC=mydomain,DC=local
    Production\PRD-ADV2 via RPC
        DSA object GUID: fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:50:57 was successful.
    Production\PRD-ADV3 via RPC
        DSA object GUID: 9a69e59f-8385-4634-95a7-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:50:57 was successful.
    Development\DEV-ADV1 via RPC
        DSA object GUID: 07030400-79c8-4f2d-b48a-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:05:57 was successful.
    Test\TST-ADV1 via RPC
        DSA object GUID: 8951dd52-2a9d-4d79-a2b4-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:05:57 was successful.

Source: Production\PRD-ADV2
******* 13955 CONSECUTIVE FAILURES since 2019-12-06 16:19:54
Last error: 8606 (0x219e):
            Insufficient attributes were given to create an object. This object
may not exist because it may have been deleted and already garbage collected.

I tried to run this command on PRD-DC2, but I didn't solve my problem:

repadmin /removelingeringobjects ACC-PRD-ADV2 fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx CN=Configuration,DC=mydomain,DC=local /advisory_mode
repadmin /removelingeringobjects ACC-PRD-ADV2 fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx CN=Configuration,DC=mydomain,DC=local 
repadmin /removelingeringobjects ACC-PRD-ADV2 fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx CN=Schema,CN=Configuration,DC=mydomain,DC=local
repadmin /removelingeringobjects ACC-PRD-ADV2 fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx DC=DomainDnsZones,DC=mydomain,DC=local 
repadmin /removelingeringobjects ACC-PRD-ADV2 fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx DC=mydomain,DC=local 
repadmin /removelingeringobjects ACC-PRD-ADV2 fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx DC=ForestDnsZones,DC=mydomain,DC=local 

Hi All,

I currently have a 2012R2 domain controller with Active Directory Certificate Services installed, I will need to migrate the certification authority to a new server with the same name, I just would like to understand the process more than the actual steps required as I want to demote the DC's roles and move the certificate services to a new server.

Any help would be greatly appreciated

Hello Everyone

We had three domain controller servers in our environment. Out of the 3 domain controller servers, we had setup Certificate Authority (CA) in one of the domain controllers which is now in decommissioned state. The certificate is valid till 2032 though.

During regular health checkup, I identified that Personal Certificate of one of our remaining domain controller will expire by the end of this month. The certificate is issued by our previous domain controller(CA) which is now unavailable. As I understand if I right click and renew the certificate, the enrollment will fail as it not be able to contact the CA server which issued the certificate.

So need your expert opinion on how I can proceed with renewing the certificate of domain controller?

Also, if the personal certificate of the domain controller expires, what will be the impact on end users?

Thanking You

I create a MSA using the commands:

$Parameters = @{
'Name' = 'test';
'SamAccountName' = 'test';
'Enabled' = $true;
'RestrictToSingleComputer' = $true
}

New-ADServiceAccount @Parameters

Then, I used Get-ADServiceAccount to verify the account is created as expected.  Next, I used "InstallADServiceAccount -Identity test" to install the MSA on a server which returns the error:

install-ADServiceAccount : Cannot install service account. Error Message: '{Not Enough Quota}
Not enough virtual memory or paging file quota is available to complete the specified operation.'.
At line:1 char:1
+ install-ADServiceAccount "CN=test,CN=Managed Service Accounts,DC=glyt ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (test:String) [Install-ADServiceAccount], ADException
    + FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:InstallServiceAcccountFailure,Microsoft.ActiveD
   irectory.Management.Commands.InstallADServiceAccount

When I use Get-ADServiceAccount after this error, I find Enabled is set to false.  If I use Set-ADServiceAccount to set this property to true and try to install the MSA, the same error is return and the Enabled property is set back to false.

How can I resolve this error?

Now we have onpremise primary a secondary Domain Controller. We will clone secondary DC server to cloud, this clone will not be connected with original primaryDC and secondaryDC for example 30days, clone DC will have new IP from different range. During this 30days users will use original DCs.

Is it possible after 30 days shutdown original DCs - will clone DC2 work for users, when we change users DNS server to new IP of cloned server?

Yes i know, this is bad solution, but we dont have another option. 

thanks.

hey we have a domain with 3DC (srv1, DC Operation Master and GC ; srv2 DC and GC ; and srv3 only DC)

srv3 is a file server with many shares like //srv3/folder/myfiles 
so i really want to keep the name and IP!!

my plan is to degrade the srv3 to normal server and add to a workgroup. 
Delete it from ad under domain controllers. So my domain only works with my two domain controllers.

Wait 1 or 2 Days. perhaps do a manuel replication ... so be clear tat the srv3 is really removed from the domain.
And after all i would take my brand new Server give him same name and ip an add him to the domain. level him up to a dc and i hope all would be fine :)

Hi All,

I want add new field in users properties under

Organization tab. 

Attribute name : division

This division attribute already available attribute editor but 

I want add as division field under organization tab.

Please help.

Hello all!

We are having trouble bringing up a second domain contoller in an AWS VPC.  The First DC went up fine.  It promoted, installed DNS etc.  We were able to join three servers to the Domain it now hosts.

When we try to bring up a second DC, it hangs at "Configuring the local computer to host Active Directory Domain Services."

The last entry on the Active Directory Domain Services Configuration Wizard reads: "A delegation for this DNS server cannot be created because the authoritative parents zone cannot be found or it does not run Windows DNS server."

The last entry in the Event Log is Event ID 1962, "Internal Event: The local directory service recieved an exception from a remote procedure call (RPC)."  Error value is 2148074306.

Another entry in the Event Log is Event ID 1125, "The Active Directory Domain Services Installtion Wizard (Dcpromo) was unable to establish connection with the following domain controller."  Error value 2148074306.  The encryption type is not supported by the KDC.

I checked the encryption levels in the Local Security Policies, ADUC object attributes and GPOs.  They are all identical.

I also tried restart the KDC service on the DC.  That didn't work either.

Any help would be appreciated.

I'm honestly not sure if this is a PKI-related issue involving AD, or an AD-related issue involving PKI...  But there is no PKI-specific option under "Windows Server" for this forum site.

What I'm trying to do: Use a special Domain Controller certificate template to make a certificate request on a DC which includes a list of SANs (Subject Alternative Names). (Yes, I know auto-enroll will not work!!) With a SAN, you can use a load-balancer with Secure LDAP (port 636/tcp) and a common name.

I've done this before and it worked great. Downside is you have to manually renew certs. Not a problem here. I am NOT trying to publish the certificate into AD: that option is UNchecked in the certificate template.

The issue is that I am getting this error on the step where I run the command

    certreq -f -submit -config "ca.corp.nydomain.com\My PKI Name" $csrFile $certFile

Where I get an error:

Certificate retrieved(Issued) Issued  Could not publish Certificate.  Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)

In the CAPI2 event log, the only message helpful is:

I actually cloned the new template from the default/built-in "Domain Controllers" template, it's just be updated to 2012 R2 with some other parameters for the usage I am trying implement.

I've gone through all the things that come to mind, like special rights for "cert publishers" on the template, making sure the "Domain Admins" and "Domain Controllers" groups have rights... I'm not sure if I've MISSED something simple!!!

I'm probably going to have to open a Premier ticket, but I was hoping that someone might point out something obvious I've missed.

The domain structure is a root domain, and I am working in a sub-domain, and the AD-integrated PKI servers are domain members of a different sub-domain. (So "A" is the root domain, "B" is the corp sub-domain, and "C" is the sub-domain under "A" in which I am working on with the DC's.)

The DC is Windows Server 2012 R2 and the CA server is Windows Server 2012 R2.

Any thoughts would be greatly appreciated!!

-- Rob "I" --

I configured an enterprise root ca which should publish the crl and crt on (a) share(s).

I configured the CDP and AIA extension as follows:

CDP:C:\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crlldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>http://pki.domain.local/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl\\FILESHARE.domain.local\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
AIA:
C:\Windows\system32\CertSrv\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crtldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>http://pki.domain.local/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt\\FILESHARE.domain.local\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt

If I click in the Certificate Authority mmc --> Revoked Certificates --> All-Tasks --> Publish the crl gets published, but not the crt file.

How can I trigger the publishing of the crt file?

Hello ,

We have Domain Controller which was OFF for long time , But After We started it , replication is not working for this Domain Controller

The description for Event ID 1925 from source Microsoft-Windows-ActiveDirectory_DomainService cannot be found.

2148074274 The handle is invalid

Also Other events like : Target Principal Name is Incorrect and Access Denied while manual sync usingrepadmin /syncall

From the google it suggest that to reset password using netdom command but I am having below confusion :

1. From Which Domain Controller Should I run the Command , the Probelmetic Domain controller which we turned on after few Days OR from the Good Domain Controller which holds our all FSMO roles

2. Also from Which Domain controller the KDC service should be stopped on the Problematic or the Good domain controller ?

Ref : https://support.microsoft.com/en-in/help/3073945/how-to-troubleshoot-active-directory-replication-error-5-access-is-den

Appropriate for your Help.

Thanks

Thanks , Prakash ,Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

Hi,

I am finding multiple failed logon attempts on our domain.  These are occurring on servers and desktops.  We have policy to lock an account after 3 failed logon attempts.  Why would I see numbers in the 30's and 40's of failed attempts?  It doesn't make sense.

Also, I have different types of users making these attempts also.  I have GUEST and ADMINISTRATOR (Which I know are disabled on the domain).
I also have users attempting to login with their full domain name (for example user_name@xxxdomain.com).
Lastly, I have users who do not even exist with a user account on the domain.

How is all of this happening?
Does anyone have any suggestions?
Any ideas would be greatly appreciated.

Hi All!

Let me quicky describe env, Root Domain with 10DC all GC's, Child domain over 100DC all GC's in both cases DNS in infoblox.

We started to recieving SCOM alerts on over 90dc in child domain about:

Global Catalog query returned 0 results 

here is the script:

https://systemcenter.wiki/?GetElement=Microsoft.Windows.Server.10.0.AD.Availability.GCResponse.DataSource&Type=DataSourceModuleType&ManagementPack=Microsoft.Windows.Server.AD.2016.Monitoring&Version=10.0.0.0

1. DcDiag has no errors or issues

2. all DNS srv records are valid we have reRegistered them anyway

3. Sysvol and Netlogon shares are working fine

4. All ports are open from scom to 3268,3269,389 on DC and DCs <-->DCs

5.We can connect to GC's using ADSI or LDP.exe no issue there

6. No replication issues

7.no CHGs in the ENV where done or we knows about.

digging further we where able to establish that:

ADO connector used by SCOM return 1 if corect and 0 when fail.

1 is returned in Root no issues there

0 is returend in ChildDomain

here is the outupt from the scrip for child (diff in bold)

Properties       : System.__ComObject
AbsolutePosition : -1
ActiveConnection : System.__ComObject
BOF              : True
Bookmark         :
CacheSize        : 1
CursorType       : 3
EOF              : True
Fields           : System.__ComObject
LockType         : 1
MaxRecords       : 0
RecordCount      : 0     <--- Here  BAD =)
Source           : <GC://ny.acme.com>;(objectCategory=DMD);cn;subtree
AbsolutePage     : -1
EditMode         : 0
Filter           : 0
PageCount        : 0
PageSize         : 10
Sort             :
Status           :
State            : 1
CursorLocation   : 2
MarshalOptions   : 0
DataSource       : System.__ComObject
ActiveCommand    :
StayInSync       : True
DataMember       :
Index            :

Root:

Properties       : System.__ComObject
AbsolutePosition : 1
ActiveConnection : System.__ComObject
BOF              : False
Bookmark         : 0
CacheSize        : 1
CursorType       : 3
EOF              : False
Fields           : System.__ComObject
LockType         : 1
MaxRecords       : 0
RecordCount      : 1   <--- GOOD
Source           : <GC://acme.com>;(objectCategory=DMD);cn;subtree
AbsolutePage     : 1
EditMode         : 0
Filter           : 0
PageCount        : 1
PageSize         : 10
Sort             :
Status           : 0
State            : 1
CursorLocation   : 2
MarshalOptions   : 0
DataSource       : System.__ComObject
ActiveCommand    :
StayInSync       : True
DataMember       :
Index            :

Any Ideas?

Thanks

Hi,

I have a forest and 2 domains where all the DCs have Windows 2012R2 operating system and FEL/DFL also have Windows 2012R2.

I am going to perform Disaster Recovery of the above DCs. I have a baremetal backup with me and the snapshot as well which is from Rubrik and stores in different datastore. We can clone the DC using Rubrik to isolated network.

Now my question is, Is snapshot(Clone) backup recommended by Microsoft for Windows server 2012R2 or Do I need to install OS on a new VM and recover from baremetal backup?

Hello all,

I want to delegate a group of users to manage active directory users ( create users\ groups + reset password), i created a group then i delegate these permissions " through delegation wizard on OU " on OU level, but its not working. I tried to grant these permissions by right click on the required OU ten advanced then add required AD group and then i select required permissions, but still not working. So i did give these permissions on a user not group and it did work " i delegated a test user through delegation wizard and it worked, but i need to delegate these tasks to a group then i can add users to it rather than individual user(s).

Any idea why its not working for AD group.

Thank you

2012 R2 domain. i'm a domain admin, i've enabled advanced features in ADUC. i can see the "attribute editor" tab when i open a user's properties, but i do not see an "attribute editor" tab when i open a computer's properties. is that expected? 

Hello Expers,

We have issue with AD replication that All DC can not replicate and also sysvol and netlogon folder is not created in other DC

Sysvol and netlogon is only created to DC where FSMO roles are resides

But in this Good DC there are events of with event id :13568

And on the BAD DC where it sysvol folder is not created there are event of13508

After googling it suggest that to change the registry , but I am not sure it will resolve this error and sysvol folder will be created as we have only one working good DC in enrvironemt and others have replication issues.

Please suggest and help to resolve this replication issue between DC.

Thanks

Thanks , Prakash ,Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.