Hi,

I have 5 DC in 3 different networks (DEV, TST, PRD), all DC are are2012 R2 except PRD-ADV3 that is 2008 R2.

if I run the command Repadmin /replsummary from all DC I receive the error below:

C:\Users\admin>Repadmin /replsummary
Replication Summary Start Time: 2020-04-02 10:24:14

Beginning data collection for replication summary, this may take awhile:
  .........
Source DSA          largest delta    fails/total %%   error
 DEV-ADV1              12m:34s    0 /  15    0
 PRD-ADV1              32m:30s    0 /  20    0
 PRD-ADV2     >60 days            2 /  10   20  (8606) Insufficient attributes were given to create an object. This object may not exist because it may have been deleted and already garbage collected.
 PRD-ADV3              33m:17s    0 /  10    0
 TST-ADV1              32m:31s    0 /  10    0
 TST-ADV2              39m:13s    0 /  10    0

This is the result from PRD-DC2

C:\Users\admin>repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Production\PRD-ADV2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx
DSA invocationID: 3090f21b-4ffc-4c65-8b0b-xxxxxxxxxxxx

==== INBOUND NEIGHBORS ======================================

DC=mydomain,DC=local
    Development\DEV-ADV1 via RPC
        DSA object GUID: 07030400-79c8-4f2d-b48a-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 10:11:40 was successful.
    Production\PRD-ADV3 via RPC
        DSA object GUID: 9a69e59f-8385-4634-95a7-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:04:24 was successful.
    Production\PRD-ADV1 via RPC
        DSA object GUID: 061a84d5-db2d-4da0-a2b9-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:06:01 was successful.

CN=Configuration,DC=mydomain,DC=local
    Development\DEV-ADV1 via RPC
        DSA object GUID: 07030400-79c8-4f2d-b48a-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 10:11:40 was successful.
    Production\PRD-ADV1 via RPC
        DSA object GUID: 061a84d5-db2d-4da0-a2b9-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:58:39 was successful.
    Production\PRD-ADV3 via RPC
        DSA object GUID: 9a69e59f-8385-4634-95a7-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:58:45 was successful.

CN=Schema,CN=Configuration,DC=mydomain,DC=local
    Development\DEV-ADV1 via RPC
        DSA object GUID: 07030400-79c8-4f2d-b48a-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 10:11:40 was successful.
    Production\PRD-ADV1 via RPC
        DSA object GUID: 061a84d5-db2d-4da0-a2b9-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:58:39 was successful.
    Production\PRD-ADV3 via RPC
        DSA object GUID: 9a69e59f-8385-4634-95a7-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:58:39 was successful.

DC=DomainDnsZones,DC=mydomain,DC=local
    Development\DEV-ADV1 via RPC
        DSA object GUID: 07030400-79c8-4f2d-b48a-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 10:11:40 was successful.
    Production\PRD-ADV3 via RPC
        DSA object GUID: 9a69e59f-8385-4634-95a7-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:58:39 was successful.
    Production\PRD-ADV1 via RPC
        DSA object GUID: 061a84d5-db2d-4da0-a2b9-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:58:39 was successful.

DC=ForestDnsZones,DC=mydomain,DC=local
    Development\DEV-ADV1 via RPC
        DSA object GUID: 07030400-79c8-4f2d-b48a-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 10:11:40 was successful.
    Production\PRD-ADV1 via RPC
        DSA object GUID: 061a84d5-db2d-4da0-a2b9-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:58:39 was successful.
    Production\PRD-ADV3 via RPC
        DSA object GUID: 9a69e59f-8385-4634-95a7-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:58:39 was successful.

This is from other server (PRD-DC1):

C:\Users\Admin>repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Production\PRD-ADV1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 061a84d5-db2d-4da0-a2b9-xxxxxxxxxxxx
DSA invocationID: 0cd47770-7f80-4672-bd71-7a7743e34c38

==== INBOUND NEIGHBORS ======================================

DC=mydomain,DC=local
    Production\PRD-ADV2 via RPC
        DSA object GUID: fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:51:33 was successful.
    Development\DEV-ADV1 via RPC
        DSA object GUID: 07030400-79c8-4f2d-b48a-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:05:57 was successful.
    Test\TST-ADV1 via RPC
        DSA object GUID: 8951dd52-2a9d-4d79-a2b4-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:05:57 was successful.
    Production\PRD-ADV3 via RPC
        DSA object GUID: 9a69e59f-8385-4634-95a7-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:09:15 was successful.

CN=Configuration,DC=mydomain,DC=local
    Production\PRD-ADV2 via RPC
        DSA object GUID: fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:50:57 failed, result 8606 (0x219e):
            Insufficient attributes were given to create an object. This object
may not exist because it may have been deleted and already garbage collected.
        13955 consecutive failure(s).
        Last success @ 2019-12-06 16:19:54.
    Production\PRD-ADV3 via RPC
        DSA object GUID: 9a69e59f-8385-4634-95a7-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:58:42 was successful.
    Development\DEV-ADV1 via RPC
        DSA object GUID: 07030400-79c8-4f2d-b48a-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:05:57 was successful.
    Test\TST-ADV1 via RPC
        DSA object GUID: 8951dd52-2a9d-4d79-a2b4-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:05:57 was successful.

CN=Schema,CN=Configuration,DC=mydomain,DC=local
    Production\PRD-ADV2 via RPC
        DSA object GUID: fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:50:57 was successful.
    Production\PRD-ADV3 via RPC
        DSA object GUID: 9a69e59f-8385-4634-95a7-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:50:57 was successful.
    Development\DEV-ADV1 via RPC
        DSA object GUID: 07030400-79c8-4f2d-b48a-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:05:57 was successful.
    Test\TST-ADV1 via RPC
        DSA object GUID: 8951dd52-2a9d-4d79-a2b4-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:05:57 was successful.

DC=DomainDnsZones,DC=mydomain,DC=local
    Production\PRD-ADV2 via RPC
        DSA object GUID: fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:50:57 was successful.
    Production\PRD-ADV3 via RPC
        DSA object GUID: 9a69e59f-8385-4634-95a7-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:50:57 was successful.
    Development\DEV-ADV1 via RPC
        DSA object GUID: 07030400-79c8-4f2d-b48a-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:05:57 was successful.
    Test\TST-ADV1 via RPC
        DSA object GUID: 8951dd52-2a9d-4d79-a2b4-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:05:57 was successful.

DC=ForestDnsZones,DC=mydomain,DC=local
    Production\PRD-ADV2 via RPC
        DSA object GUID: fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:50:57 was successful.
    Production\PRD-ADV3 via RPC
        DSA object GUID: 9a69e59f-8385-4634-95a7-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 11:50:57 was successful.
    Development\DEV-ADV1 via RPC
        DSA object GUID: 07030400-79c8-4f2d-b48a-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:05:57 was successful.
    Test\TST-ADV1 via RPC
        DSA object GUID: 8951dd52-2a9d-4d79-a2b4-xxxxxxxxxxxx
        Last attempt @ 2020-04-02 12:05:57 was successful.

Source: Production\PRD-ADV2
******* 13955 CONSECUTIVE FAILURES since 2019-12-06 16:19:54
Last error: 8606 (0x219e):
            Insufficient attributes were given to create an object. This object
may not exist because it may have been deleted and already garbage collected.

I tried to run this command on PRD-DC2, but I didn't solve my problem:

repadmin /removelingeringobjects ACC-PRD-ADV2 fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx CN=Configuration,DC=mydomain,DC=local /advisory_mode
repadmin /removelingeringobjects ACC-PRD-ADV2 fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx CN=Configuration,DC=mydomain,DC=local 
repadmin /removelingeringobjects ACC-PRD-ADV2 fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx CN=Schema,CN=Configuration,DC=mydomain,DC=local
repadmin /removelingeringobjects ACC-PRD-ADV2 fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx DC=DomainDnsZones,DC=mydomain,DC=local 
repadmin /removelingeringobjects ACC-PRD-ADV2 fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx DC=mydomain,DC=local 
repadmin /removelingeringobjects ACC-PRD-ADV2 fd0814d7-df3d-4547-b29d-xxxxxxxxxxxx DC=ForestDnsZones,DC=mydomain,DC=local 

It seems NIS server is no longer available since Windows Server 2016.

Currently we're using Windows Server 2012:

Anyone knows alternatives for Windows Server 2016?

thanks in advance,

oli

oli

hello All,

we have an service account, is there a way to delegate this service account to create keytab file at OU level.

Please let us know if there is any such option available.

regards

Aamir 

NA

Good Morning Team,

My client is running a on prem Exchange 2016 organization with several servers in a DAG. They are running the latest CU16, and clients are in a Windows 2016 single forest/domain with their workstations using Windows 10 and office 2013/2016.

Here is the request, due to some space disk constraints, we are asked to implement Outlook Auto Archiving feature.
This would allow our users to move their mail to PST.  The option is located in File -> Options -> Advanced -> Auto Archive Settings and it is currently disabled.

Can you please provide me step by step instructions to setup a GPO user to implement this feature? Please, provide as much details as you can

By the way, this should be scoped to a group of users and not everyone in the organization.

Franki

We have a resource domain (single domain/forest) in place that is used primarily for locked down systems like lab machines, kiosks, etc.  We are in the process of uplifting the domain with new Windows 2019 DCs replacing the 2008 R2 DCs (DFL and FFL still 2008 R2 currently). 

This is an inherited domain, and I *think* the issue is with the domain name being created with an underscore in the name:  _resource.local - just looking for confirmation or if something else could be causing this issue.

The AD management tools work fine, but we are seeing errors with the PowerShell for AD.  While the old DCs are around, they have been demoted and we don't know if this happened with them unfortunately. When you launch Active Directory Module for PowerShell, it returns this error below. Manually typing import-module ActiveDirectory succeeds without error.

import-module : Attempting to perform the InitializeDefaultDrives operation on the 'ActiveDirectory' provider failed.
At line:1 char:1
+ import-module ActiveDirectory
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Microsoft.Activ...ActiveDirectory:ProviderInfo) [Import-Module], Prov
   iderInvocationException
    + FullyQualifiedErrorId : InitializeDefaultDrivesException,Microsoft.PowerShell.Commands.ImportModuleCommand

However, trying to run any AD cmdlet returns an error like this one below:

Get-ADDomain : Invalid URI: The server name 'DC20._RESOURCE.LOCAL' could not be parsed. You might need to enable
internationalized domain name support for class System.Uri. See help of class System.Uri for more details.
At line:1 char:1
+ Get-ADDomain
+ ~~~~~~~~~~~~
    + CategoryInfo          : InvalidType: (_RESOURCE:ADDomain) [Get-ADDomain], UriFormatException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UriFormatException,Microsoft.ActiveDirectory.Management.Com
   mands.GetADDomain

hello dear,

please can you help me to resolve a problem on my computer? 

i use a script on PowerShell , and then i restart the pc and i found  that i loss all the permissions admin and i can't access to anything and the windows icon "start" didn't work.... and i don't how to fix it.

the script is : 

Get-AppXPackage | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)\AppXManifest.xml”} 

thanks for understanding please help me to resolve this problem

Jason

Hi,

Every so often a server, even the domain controller would lose the domain. The NIC would show connected to "network 2 / private" rather than our FQDN. The fix in the past was to simply disable and reenable the NIC. The NIC would then show our FQDN and everything was good.

We had to shut down last weekend because of a cooling issue. When I brought everything back up, our Hyper V NICs would not "find" the domain. Instead the NICs showed connected to Private / Network 2 rather than domain / FQDN. The only thing that fixed it was to ping our FQDN, disable and reenable the NIC on each. Is this a problem with our domain design or DNS, or it this a bug?

Our domain level is 2008 R2. The 2 domain controllers are 2012 R2.

Thanks for any good info.

Trying to figure out if there's a way to create an AD security group and populate its members with user objects that have a specific attribute.

Example:

ABC Security Group

User XYZ has attribute countryCode = 0

User CDE has attribute countryCode = 1

User FGH has attribute countryCode = 1

I want to populate ABC Security Group with all the users who have attribute countryCode = 1, automatically

The idea  is that I've got thousands of users with countryCode = 1 and I really don't want to have to add them, or remove them, manually.  I would like if their countryCode ever changes from 0 to 1 or 1 to 0, it will automatically add or remove them from ABC Security Group.

Thanks,

Daniel

Thanks, Daniel

Hello Everyone

We had three domain controller servers in our environment. Out of the 3 domain controller servers, we had setup Certificate Authority (CA) in one of the domain controllers which is now in decommissioned state. The certificate is valid till 2032 though.

During regular health checkup, I identified that Personal Certificate of one of our remaining domain controller will expire by the end of this month. The certificate is issued by our previous domain controller(CA) which is now unavailable. As I understand if I right click and renew the certificate, the enrollment will fail as it not be able to contact the CA server which issued the certificate.

So need your expert opinion on how I can proceed with renewing the certificate of domain controller?

Also, if the personal certificate of the domain controller expires, what will be the impact on end users?

Thanking You

Hello Everyone

We have a domain controller environment and as it is, we have a default domain controller policy in place. The Default domain controller has following setting:

Enforced : No

Link Enabled : No

Will the settings in the policy work if there are no additional GPOs in place?

Thanking You

Avinash Yadav

I have the exact problem described here:

http://khellman.blogspot.com/2014/02/ad-ds-operation-failed-dcpromo-error.html

I went to demote an old 2008 R2 Domain Controller and got the : The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.

Our Active Directory supports the operation of a large school district, and with the current situation, It would be most problematic to beak AD, although the current situation is obviously broken as it points to a DC that does not exist.

If I query the fsmo roles from NetDom, they are correct, but apparently, It's not the same thing as the DNS Zones

I just want to make sure that creating these changes are non destructive and safe to implement.

Thanks

Hi All,

I'm busy with 2 new DCs for a client. Done numerous DCPROMO's without an issue up until now.

When I DCPROMO, the prerequisites all pass with no issues. It then starts to prepare the installation, and seemingly stalls on preparing the local computer for ADDS. There is 1 error in the event log:

8524 - The DSA Operation is unable to proceed because of a DNS lookup failure.

However, I can perform an NSLOOKUP with no issues to any of the 3 existing DCs.

Things I have done:

* Restarted the VMs, and then uninstalled DNS / ADDS before restarting and trying again (I deleted any SYSVOL/NTDS folders);

* Deleted the computer object out of AD Sites & Services;

* Checked NSLOOKUP as I mentioned and it passes;

* Firewalls turned off on source / destination VMs;

* No traffic passing through a firewall on the network.

I am a member of the Domain Admins group, and the existing DCs are running Windows Server 2016 v. 1607 (14393.3564) while the new DCs are running Windows Server 2016 v. 1607 (14393.3504).

Any help would be appreciated.

Thanks!

Melissa Pratt

I'm honestly not sure if this is a PKI-related issue involving AD, or an AD-related issue involving PKI...  But there is no PKI-specific option under "Windows Server" for this forum site.

What I'm trying to do: Use a special Domain Controller certificate template to make a certificate request on a DC which includes a list of SANs (Subject Alternative Names). (Yes, I know auto-enroll will not work!!) With a SAN, you can use a load-balancer with Secure LDAP (port 636/tcp) and a common name.

I've done this before and it worked great. Downside is you have to manually renew certs. Not a problem here. I am NOT trying to publish the certificate into AD: that option is UNchecked in the certificate template.

The issue is that I am getting this error on the step where I run the command

    certreq -f -submit -config "ca.corp.nydomain.com\My PKI Name" $csrFile $certFile

Where I get an error:

Certificate retrieved(Issued) Issued  Could not publish Certificate.  Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)

In the CAPI2 event log, the only message helpful is:

I actually cloned the new template from the default/built-in "Domain Controllers" template, it's just be updated to 2012 R2 with some other parameters for the usage I am trying implement.

I've gone through all the things that come to mind, like special rights for "cert publishers" on the template, making sure the "Domain Admins" and "Domain Controllers" groups have rights... I'm not sure if I've MISSED something simple!!!

I'm probably going to have to open a Premier ticket, but I was hoping that someone might point out something obvious I've missed.

The domain structure is a root domain, and I am working in a sub-domain, and the AD-integrated PKI servers are domain members of a different sub-domain. (So "A" is the root domain, "B" is the corp sub-domain, and "C" is the sub-domain under "A" in which I am working on with the DC's.)

The DC is Windows Server 2012 R2 and the CA server is Windows Server 2012 R2.

Any thoughts would be greatly appreciated!!

-- Rob "I" --

I am not sure if this is a problem. If it is not then I would appreciate someone to walk me though it.

If we log on to one of our Domain Controllers and go to Control Panel > User Accounts > Manage User Accounts, in the new User Accounts window we can see several non-admin User accounts listed.

I don't think that this is necessarily a problem, but we want to be sure that it is normal and it is not the sign of an issue, as it seems strange that a Domain Controller would have nominal User Accounts to Manage.

We want to be sure that there has not been too much access granted to people that should not have it in an unobvious way.

Hi,

While a go beside dfsn we have added new test site and therefore we had to configure ip subnet for both test and dfsn site. 

Now we want to delete test site and its ip subnet and i dont think there is any problem with that.

My question is: Am i going to get some problem with deleting ip subnet from dfsn? It is the only site we had from start and was working fine so we just want to go back as we had.

Regards,