Hi there,

We have two Domain Controllers - DC1 and DC2.

In theory, everything works well. We didn't see any problems with user/app authorization, AD replication, ldap, dns, etc.

However, every 4 hours in System eventlog we can find new entry about NETLOGON id: 5722

The session setup from the computer DC2 failed to authenticate. The name(s) of the account(s) referenced in the security database DC2$. The folowing error occured: Access id denied.

We've executed set of DC diag commands, but there is no significant erros.

For example:
nltest /sc_query:mydomain.tld

It works on every workstation but it returns error on Domain Controllers..

I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

I'm confused.. I'm doing something wrong?

Best Regards,
Adam Erot

dns and ad not working.

i get this error in dns log

The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

I get this error in ad

The security of this directory server can be significantly enhanced by configuring the server to enforce  validation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections. Even if  no clients are issuing LDAP bind requests over LDAPS, configuring the server to validate Channel Binding  Tokens will improve the security of this server.
 
For more details and information on how to make this configuration change to the server, please see https://go.microsoft.com/fwlink/?linkid=2102405.

i get this error after login exchange server 2019 admin

Please help....

Hi, 

We have a OU called NewPCs.

There is a GP linked to NewPCs that disables Remote Desktop connections and it is marked as enforced.

Under NewPCs there is another OU called ABVM

There is a GP linked to ABVM that Enables Remote Desktop connections and it is marked as enforced.

I expect that the GP applied to the more specific OU would have the highest priority and that remote desktop would be enabled for computers in the ABVM OU.

However,, remote desktop is being disabled by GP.

Does anyone know what is going on with this?

This exact same heiarchy works flawlessly in other OUs, so I have no idea why it isn't working here.

I just lost my domain controllers, I think there's something wrong with WS2019 because adding servers to the new directory gets me an error of identical SID. I though it was because I was cloning them as I have all the time but even new servers from scratch  have the same problem. I digress… Before I lost everything I had a federated domain with Azure AD, I was also doing password hash sync which let me keep a list of my users in Azure AD.

Now I want to get the list back into my directory but the options in the sync service of Azure AD Connect to import from Azure are not there anymore...or maybe weren't there at all, I had used them but only on-prem to Azure.

Though some search I came across of a way to download the users in PowerShell into a CSV file that didn't work either maybe bc it was too old--but it did help me making sense of what I need to do. I ended up downloading the the list from the Azure portal and now I'm at the import part.

The Azure AD file contains the attribute objectId with values like4313f321-2a48-405d-bea4-519dfb3755c8. It also contains: 

• userPrincipalName
• displayName
• surname
• mail
• givenName
• objectId
• userType
• jobTitle
• department
• accountEnabled
• usageLocation
  
• streetAddress
• state
  
• country
• physicalDeliveryOfficeName
  
• city
• postalCode
• telephoneNumber
• mobile
• authenticationPhoneNumber
• authenticationAlternativePhoneNumber
• authenticationEmail
• alternateEmailAddress
• ageGroup
• consentProvidedForMinor
• legalAgeGroupClassification

Probably even more, I haven't tested. What I would like to know is if I can import users with their unique IDs in Active Directory so they get their stuff back after they reset password. I issuedGet-Help New-ADUser -Online to get everything available in a 2019 server and it took me to an old article for starters--tons of issues with 2019--eventually I found the current information for New-ADUser but with no option for something that I don't know how to enter (or which is) its unique identifier.

There's a vague option to enter more options within options but it's just that: vague.

I explored some more and realized that while the script I got earlier (from Microsoft) doesn't work,Get-MsolUser from the MSOnline module does, furthermore, it has a GUID parameter. So I'm thinking now of write a more complex cmdlet to pipe straight from AAD into AD, maybe not using New-ADUser but something else like New-ADObject.

The problem is that my PowerShell knowledge comes mostly from pure dumb luck that they aliased the BASH commands to cmdlets so I'm not that lost. And not even good in BASH either. Could you help me with the cmdlets I need to form pipe instruction?

I though about importing and if it doesn't work quite alright use the do another pipe but withSet- instead fo  New-to "fine-tune" the entries. But I still don't know how to use things enclosed in symbols like{}, what parenthesis do, what in the hell ($_.Firstname + "." + $_.Lastname) means which I got from the second part of the script I was going to use and I just learned about foreach-object using some Kerberos cmdlet the other day, apparently needed here as well but it wasn't as straightforward as it sounded, at least not inthat case. Being self-thought, I don't know where to get the resources to learn all of this.Pure dumb luck.

I really appreciate you help in this. This is my last chance to recover data from the servers that are offline right now--well, I guess as admin I can always change ownership but there's an Exchange Server that I won't be able to fool that easily. :/  Thanks!

I bet you think this post is about you. Don't you…don't you. ♪

Dear All,

I have apply GPO of changing wallpaper to my workstation in domain. The policy working fine when workstation connect to network. then i disconnect laptop from network and login to computer as offline profile and the wallpaper not show. what the problem?

dfj

sff

G-ONE

After promoting to 2019 DC i see Warnings with eventid 16969:

6 remote calls to the SAM database have been denied in the past 900 seconds throttling window.

Is this something i should be worry about? Should i add "Domain Users" and "Domain Computers"?

There is a new registry setting on 2019 DC: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteS = O:BAG:BAD:(A;;RC;;;BA) that is not controlled by GPO.

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls

Hi,

 We have several thousand users and computers using AD. Our environment is as follows with a 2 way transitive trust between the 2 forests:

new-domain, 2012 R2 DCs, 2003 domain and forest functional levels.

old-domain, 2003 SP2 DCs, 2003 domain and forest functional levels.

We're planning on raising the functional levels of new-domain to 2012, but have some legacy clients:

16 NT 4 computers still using AD

50 Windows 2000 computers still using AD

200 Windows 2003 servers

Would raising the domain and forest functional levels break compatibility with the legacy operating systems?

Has Microsoft published a client compatibility matrix for functional levels and clients?

Would raising functional levels in the new-domain impact on the trust relationship?

Thanks in advance

After promoting to 2019 DC i see Warnings with eventid 16969:

6 remote calls to the SAM database have been denied in the past 900 seconds throttling window.

Is this something i should be worry about? Should i add "Domain Users" and "Domain Computers"?

There is a new registry setting on 2019 DC: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteS = O:BAG:BAD:(A;;RC;;;BA) that is not controlled by GPO.

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls

has anyone seen this issue before, I'm having problem running the following command for LAPS to work but its takes me nowhere using online search

This is what i have done

1. I'm an schema master admin, domain admin and enterprise admins and running the powershell command on FSMO server

2. Running the commands from elevated powershell

3. running update-admpwdADSchema works for the first two entries AddSchemaAttribute, third step update-admpwdadschema throws an error message "Update-AdmPwdADSchema : The requested attribute does not exist."

4. there is no logs i can see why its breaking. 

Hello everyone,

I have a domain on servers 2019 with forest functional level and domain 2012.

I have tried to join XP client computers to the domain, but it gives me "internal error".I have enabled SMB1 on the DCs and it still doesn't work.

Would it be possible to add those XP computers in the domain?

Thank you.

Hello, 

Keep getting the same error on all DCs. They are all replicating with 0 errors. only when i run DCDiag i get the same error. When i run GPUPDATE on the servers I can successfully run. I have checked all settings DNS. ETC. When i run GPUPATE i get another error. Any help would be great!

Here is from one of the servers: 

Microsoft Windows [Version 6.2.9200]
(c) 2012 Microsoft Corporation. All rights reserved.

C:\Windows\system32>ipconfig /registerdns

Windows IP Configuration

Registration of the DNS resource records for all adapters of this computer has b
een initiated. Any errors will be reported in the Event Viewer in 15 minutes.

C:\Windows\system32>dcdiag /fix

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = BLANK-DC03
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\BLANK-DC03
      Starting test: Connectivity
         ......................... BLANK-DC03 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\BLANK-DC03
      Starting test: Advertising
         ......................... BLANK-DC03 passed test Advertising
      Starting test: FrsEvent
         ......................... BLANK-DC03 passed test FrsEvent
      Starting test: DFSREvent
         ......................... BLANK-DC03 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... BLANK-DC03 passed test SysVolCheck
      Starting test: KccEvent
         ......................... BLANK-DC03 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... BLANK-DC03 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... BLANK-DC03 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... BLANK-DC03 passed test NCSecDesc
      Starting test: NetLogons
         ......................... BLANK-DC03 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... BLANK-DC03 passed test ObjectsReplicated
      Starting test: Replications
         ......................... BLANK-DC03 passed test Replications
      Starting test: RidManager
         ......................... BLANK-DC03 passed test RidManager
      Starting test: Services
         ......................... BLANK-DC03 passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   10:16:24
            Event String:
            Windows failed to apply the Group Policy Files settings. Group Polic
y Files settings might have its own log file. Please click on the "More informat
ion" link.
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   10:16:24
            Event String:
            Windows failed to apply the Group Policy Shortcuts settings. Group P
olicy Shortcuts settings might have its own log file. Please click on the "More
information" link.
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   10:21:24
            Event String:
            Windows failed to apply the Group Policy Files settings. Group Polic
y Files settings might have its own log file. Please click on the "More informat
ion" link.
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   10:21:24
            Event String:
            Windows failed to apply the Group Policy Shortcuts settings. Group P
olicy Shortcuts settings might have its own log file. Please click on the "More
information" link.
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   10:26:24
            Event String:
            Windows failed to apply the Group Policy Files settings. Group Polic
y Files settings might have its own log file. Please click on the "More informat
ion" link.
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   10:26:24
            Event String:
            Windows failed to apply the Group Policy Shortcuts settings. Group P
olicy Shortcuts settings might have its own log file. Please click on the "More
information" link.
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   10:31:25
            Event String:
            Windows failed to apply the Group Policy Files settings. Group Polic
y Files settings might have its own log file. Please click on the "More informat
ion" link.
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   10:31:25
            Event String:
            Windows failed to apply the Group Policy Shortcuts settings. Group P
olicy Shortcuts settings might have its own log file. Please click on the "More
information" link.
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   10:36:25
            Event String:
            Windows failed to apply the Group Policy Files settings. Group Polic
y Files settings might have its own log file. Please click on the "More informat
ion" link.
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   10:36:25
            Event String:
            Windows failed to apply the Group Policy Shortcuts settings. Group P
olicy Shortcuts settings might have its own log file. Please click on the "More
information" link.
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   10:41:25
            Event String:
            Windows failed to apply the Group Policy Files settings. Group Polic
y Files settings might have its own log file. Please click on the "More informat
ion" link.
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   10:41:25
            Event String:
            Windows failed to apply the Group Policy Shortcuts settings. Group P
olicy Shortcuts settings might have its own log file. Please click on the "More
information" link.
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   10:46:25
            Event String:
            Windows failed to apply the Group Policy Files settings. Group Polic
y Files settings might have its own log file. Please click on the "More informat
ion" link.
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   10:46:25
            Event String:
            Windows failed to apply the Group Policy Shortcuts settings. Group P
olicy Shortcuts settings might have its own log file. Please click on the "More
information" link.
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   10:51:25
            Event String:
            Windows failed to apply the Group Policy Files settings. Group Polic
y Files settings might have its own log file. Please click on the "More informat
ion" link.
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   10:51:26
            Event String:
            Windows failed to apply the Group Policy Shortcuts settings. Group P
olicy Shortcuts settings might have its own log file. Please click on the "More
information" link.
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   10:56:26
            Event String:
            Windows failed to apply the Group Policy Files settings. Group Polic
y Files settings might have its own log file. Please click on the "More informat
ion" link.
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   10:56:26
            Event String:
            Windows failed to apply the Group Policy Shortcuts settings. Group P
olicy Shortcuts settings might have its own log file. Please click on the "More
information" link.
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   11:01:26
            Event String:
            Windows failed to apply the Group Policy Files settings. Group Polic
y Files settings might have its own log file. Please click on the "More informat
ion" link.
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   11:01:26
            Event String:
            Windows failed to apply the Group Policy Shortcuts settings. Group P
olicy Shortcuts settings might have its own log file. Please click on the "More
information" link.
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   11:06:26
            Event String:
            Windows failed to apply the Group Policy Files settings. Group Polic
y Files settings might have its own log file. Please click on the "More informat
ion" link.
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   11:06:26
            Event String:
            Windows failed to apply the Group Policy Shortcuts settings. Group P
olicy Shortcuts settings might have its own log file. Please click on the "More
information" link.
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   11:11:26
            Event String:
            Windows failed to apply the Group Policy Files settings. Group Polic
y Files settings might have its own log file. Please click on the "More informat
ion" link.
         A warning event occurred.  EventID: 0x0000043D
            Time Generated: 05/18/2020   11:11:26
            Event String:
            Windows failed to apply the Group Policy Shortcuts settings. Group P
olicy Shortcuts settings might have its own log file. Please click on the "More
information" link.
         ......................... BLANK-DC03 passed test SystemLog
      Starting test: VerifyReferences
         ......................... BLANK-DC03 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : blank
      Starting test: CheckSDRefDom
         ......................... blank passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... blank passed test CrossRefValidation

   Running enterprise tests on : blank.net
      Starting test: LocatorCheck
         ......................... blank.net passed test LocatorCheck
      Starting test: Intersite
         ......................... blank.net passed test Intersite

C:\Windows\system32>

Here is GPUPDATE from a PC:

Microsoft Windows [Version 10.0.18362.720]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Users\dental>gpupdate
Updating policy...

Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
User Policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

C:\Users\dental>The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
'The' is not recognized as an internal or external command,
operable program or batch file.

C:\Users\dental>The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
'The' is not recognized as an internal or external command,
operable program or batch file.

C:\Users\dental>

Hi,

I have a question, The event 7470 (lockout account), it is replicating to the controller with the all fsmo rolls, is that normal?

I thought the security events does not replicate betewen controllers.

Best regards 

Just started at new company and doing AD Health Checks on Forests.

Found out in the DEV Forest Root that it is not replicating to the Child Dev Domain.

Running repadmin /showrepl I see that the Forest DC's are replication fine, but failures on Child DC's.  Using Get-ADReplicationFailure from any Forest DC, I get "Either the target name is incorrect or the server has rejected client credentials.

Running these commands from Child Domain shows replication is fine.  No Errors.

From the Child DC's, I ran nltest /sc_query:ChildDev /server:AllForestRootDC Names.

Every DC response from Forest DC's returned Success, except for DC05, from every Child DC, I got "Error_NO_LOGON_SERVERS"

Running nltest sc_query:ForestDEV /server:AnyChildDC Name returns "Error_ACCESS_DENIED"

From the replication errors, it looks like the Forest DC's have not replicated to the Child DC's since April 2019.

I believe I can either try to run Reset-MachinePassword on DC05

Or Force Demote DC05

Doing this, I hope the Secure Channels from Forest DC's to Child DCs' will be rebuilt and replication will happen.

But, since the Forest and Child have not replicated in over a year, how are these partitions going to figure what data is valid?  Even though this is a DEV Forest, from conversations, this is heavily used (Fortune 100 Company), so me breaking it would not be good.

Forgive me if I put this question in the wrong forum.

We are currently in the middle of a domain migration.  We are migrating all of servers and system from one domain to another.  It is time to migrate our DFS server but I know it is not just joining to new domain.  Anybody has any ideas on how to go about this without having to reinvent the whole wheel.

I will have to migrate DFS from domain.xyz to domain.com.

thanks.

Hello All,

I'm in the process of moving my test environment DCs from 2016 to 2019. I have two VM domain controllers hosted on separate physical Hyper V servers. The 2016 DC's have been demoted and are gone. The issue I'm running into is that DC2 is still trying to connect to the previous PDC to replicate SYSVOL and nothing I have tired will force it to connect to the new PDC.

I have tried both non authoritative and authoritative synchronizations in that order. The authoritative reset did fix the last 2016 DC, allowing me to demote it cleanly, but not this dang 2019 DC2. I have also verified with PortQryV2 that RPC ports are open and available on both boxes as needed.

Steps I followed for sync resets - https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo

Old PDC = CDS-DC1

New PDC (OWNS ALL FSMO ROLES) = DC1

Broken DC = DC2

Current Status

c:\>For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i" /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state
DC1
ReplicatedFolderName  ReplicationGroupName  State
SYSVOL Share          Domain System Volume  4

DC2
ReplicatedFolderName  ReplicationGroupName  State
SYSVOL Share          Domain System Volume  2

DC2 logs the following Two events.
Event 5008, DFSR

The DFS Replication service failed to communicate with partner CDS-DC1 for replication group Domain System Volume. This error can occur if the host is unreachable, or if the DFS Replication service is not running on the server.
 
Partner DNS Address: CDS-DC1.blah.blah

Optional data if available:
Partner WINS Address: CDS-DC1
Partner IP Address:  
 
The service will retry the connection periodically.
 
Additional Information:
Error: 1722 (The RPC server is unavailable.)
Connection ID: 76EB5819-AAAB-4364-B519-281DD36FCD06
Replication Group ID: CD548712-603D-4A85-942B-A59FE9BF0884

AND

Event 4612, DFSR

The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner CDS-DC1.blah.blah. If the server was in the process of being promoted to a domain controller, the domain controller will not advertise and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the sync partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.
 
Additional Information:
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: C231A149-32D1-4409-BAD3-06D99FC984D4
Replication Group Name: Domain System Volume
Replication Group ID: 76EB5819-AAAB-4364-B519-281DD36FCD06
Member ID: DA048552-7291-48B2-A920-3702A6037E1D
Read-Only: 0

While the PDC logs the following

Event 5004, DFSR

The DFS Replication service successfully established an inbound connection with partner DC2 for replication group Domain System Volume.
 
Additional Information:
Connection Address Used: DC2.blah.blah
Connection ID: 50FC82BE-5A3D-428B-8606-811BAC3DF2EC
Replication Group ID: CD548712-603D-4A85-942B-A59FE9BF0884

AND

Event 5014, DFSR

The DFS Replication service failed to communicate with partner DC2 for replication group Domain System Volume. This error can occur if the host is unreachable, or if the DFS Replication service is not running on the server.
 
Partner DNS Address: DC2.blah.blah
 
Optional data if available:
Partner WINS Address: DC2
Partner IP Address: blah.blah.blah.blah
 
The service will retry the connection periodically.
 
Additional Information:
Error: 1722 (The RPC server is unavailable.)
Connection ID: 50FC82BE-5A3D-428B-8606-811BAC3DF2EC
Replication Group ID: CD548712-603D-4A85-942B-A59FE9BF0884

AND Finally

Event 5008, DFSR

The DFS Replication service failed to communicate with partner DC2 for replication group Domain System Volume. This error can occur if the host is unreachable, or if the DFS Replication service is not running on the server.
 
Partner DNS Address: DC2.blah.blah
 
Optional data if available:
Partner WINS Address: DC2
Partner IP Address: blah.blah.blah.blah
 
The service will retry the connection periodically.
 
Additional Information:
Error: 1722 (The RPC server is unavailable.)
Connection ID: 50FC82BE-5A3D-428B-8606-811BAC3DF2EC
Replication Group ID: CD548712-603D-4A85-942B-A59FE9BF0884

After my third 3am bash against this I think I finally need to ask for some help. Why was CDS-DC2 fixed by the authoritative sync reset but DC2 isn't?

Hi,

I just created an ADFS on a windows 2016 machine. When I try to run https://federationserver01.mydomain.com/adfs/ls/idpinitiatedsignon.aspx I get a page cannot be displayed using chrome and when I use IE11 it says Turn on TLS 1.0, TLS 1.1, TLS 1.2. TLS on IE is already turned on, scripting and JavaScript enabled. Also, idpinitiatedsignonpage has been enabled already. Take note this is within the federation01 machine itself. So no fw policies or whatever come in between when accessing that link. I have done what many suggested on different forums sites, like adding tls in registry, using other browsers. But not work,

Thanks,

Janus

Hi,

I just created an ADFS on a windows 2016 machine. When I try to run https://federationserver01.mydomain.com/adfs/ls/idpinitiatedsignon.aspx I get a page cannot be displayed using chrome and when I use IE11 it says Turn on TLS 1.0, TLS 1.1, TLS 1.2. TLS on IE is already turned on, scripting and JavaScript enabled. Also, idpinitiatedsignonpage has been enabled already. Take note this is within the federation01 machine itself. So no fw policies or whatever come in between when accessing that link. I have done what many suggested on different forums sites, like adding tls in registry, using other browsers. But not work,

Thanks,

Janus

After promoting to 2019 DC i see Warnings with eventid 16969:

6 remote calls to the SAM database have been denied in the past 900 seconds throttling window.

Is this something i should be worry about? Should i add "Domain Users" and "Domain Computers"?

There is a new registry setting on 2019 DC: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteS = O:BAG:BAD:(A;;RC;;;BA) that is not controlled by GPO.

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls

Hello guys recently we have had issues where our administrators in the built in administrator group inside of active directory have been getting kicked out randomly. At this point I believe it to be corrupted because we have tried several things in order to try and fix this such as adding the administrators back into the administrator group and enabling inheritance in the security section,but still no luck as they continuously get kicked out and its driving me crazy. Because not only is it not allowing us to add ourselves as domain administrators on our machines, it has also kicked out our domain users as domain administrators on their devices and is not allowing them to download things and an admin can't remote into their computers and input their login info because at this point no one has "admin" permissions. So its just been a whole frustrating situation. Has anyone ever ran into this problem before, what were some fixes that helped you out? 

*Multiple people were also logging into the domain controller with the admin info not sure if that makes a difference