Hi,

Noticed with dcdiag that we had some references to old/temporary host names. It does not give us any error, but I guess it could. The host names does not exists and was temporary host names for the DC after replacing them 2-3 years ago.

*****************************'

      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=DCTS1,OU=Domain Controllers,DC=domain,DC=local and backlink on
         CN=DCTS1,CN=Servers,CN=Site,CN=Sites,CN=Configuration,DC=domain,DC=local
         are correct.
         The system object reference (serverReferenceBL)
         CN=DCTSNEW,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=local
         and backlink on
         CN=NTDS Settings,CN=DCTS1,CN=Servers,CN=Site,CN=Sites,CN=Configuration,DC=domain,DC=local
         are correct.
         The system object reference (msDFSR-ComputerReferenceBL)
         CN=DCTSNEW,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=local
         and backlink on CN=DCTS1,OU=Domain Controllers,DC=domain,DC=local
         are correct.
         ......................... DCTS1 passed test VerifyReferences



      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=DCBS1,OU=Domain Controllers,DC=domain,DC=local and backlink on
         CN=DCBS1,CN=Servers,CN=Site,CN=Sites,CN=Configuration,DC=domain,DC=local
         are correct.
         The system object reference (serverReferenceBL)
         CN=DCBSTMP,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=local
         and backlink on
         CN=NTDS Settings,CN=DCBS1,CN=Servers,CN=Site,CN=Sites,CN=Configuration,DC=domain,DC=local
         are correct.
         The system object reference (msDFSR-ComputerReferenceBL)
         CN=DCBSTMP,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=local
         and backlink on CN=DCBS1,OU=Domain Controllers,DC=domain,DC=local
         are correct.
         ......................... DCBS1 passed test VerifyReferences

***************************

DCTSNEW does not exists

DCBSTMP does not exists

DCTS1 exists

DCBS1 exists

So do I need to clean this up, and could I cause problems with just right click and delete them ?

Thanks for answers.

/Regards Andreas

Hello,

While opening - Active directory users and services getting an error "Logon Failure: the user has not been granted the requested logon type at this computer"

Can you please help.

Regards,

Yogesh

Hello my friends, how are you?
I need some assistance from you.

I have a windows server 2016 running a virtual machine that is my DC server, i also two other virtual machines on that windows server (one for remote access, the other for my sql server) ... but thats not important now.

So, everything is configured and always worked fine.
However, since yesterday i'm having a problem. All the computers that already are inside the domain don't have any problem, they get the IP correctly, everything works fine.

However, if i add a new computer to the domain i am getting error 0x0000232 RCODE_NAME_ERROR when i try to join the domain. i don't know what can be wrong. the ips are correct, the dns are correct ....... i have not figured out what may be causing this.

can someone point me in the correct direction??

thank you!

Hello Guyz,

Good morning,

Initially i have a problem with Applocker logs that latest logs are not getting in eventviewer after creating the key 'Microsoft-Windows-AppLocker/EXE and DLL'  and have got a solution from this site.

Now, i can able to get the latest logs in eventviewer but not showing in wbemtest with '=' operation but it fine with 'like'.please find the details below. 

I have created a key 'Microsoft-Windows-AppLocker/EXEandDLL' and change the file path as %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-AppLocker%4EXEandDLL.evtx in 

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-AppLocker/EXE and DLL

I can able to get the logs in event viewer also.

Not working in wbemtest : select * from win32_ntlogevent where logfile = 'Microsoft-Windows-AppLocker/EXE and DLL' 

working in wbemtest : select * from win32_ntlogevent where logfile like 'Microsoft-Windows-AppLocker/EXE and DLL'

My Doubt was :

Why am i not getting any events using '=' but with 'like' it shows fine ?

Thanks in Advance.

Dear Team

I want to 2 way replication DC(primary domain controller) to Secondary domain controller, when i do the create user in DC but it takes more replication time in secondary domain controller, please advice server end site and service and other tools.

Parvez

Hi,

I have configured the settings in default domain controller policy "SendNLTMv2Responseonly,Refuse LM and NTLM request"

one of my domain user created 1000 of event id 4776 with error code C000006A.

He used work group pc and configured his domain account in the script.

The particular script failed to execute in the work group pc.

domain controller does not locked out the account even after 1000 failure login attempt.

I don't  have any fine grained password policy configured.

May I know the reason for this not causing the lockout out.

While recreating a lost directory, I created a group that's supposed to very highly privileged, like Enterprise Admins; while its privileges seem to work fine in member servers of the domain but in other places (like VMware products or even Apache Directory Studio) the group doesn't even appear in a user's information sheet. The group only appears in the LDAP tree. Therefore its privileges are lost.

In a user account I'm using to do this first I tried setting it primary group to the affected group (of which it already was a member) but it wasn't reflected in external systems, instead the account appeared as a member of another custom group which is a regular low-privileged group to which it also belonged. Going further I removed every other group from the account and left only the affected group and checked withApache Directory Studio and now it appears without a memberOf attribute and the group's name is nowhere to be found in the huge amount of data remotely gathered from the directory.

The account is still privileged inside the Windows environment though.

I went to the root of the directory in AD Users and Computers and delegated everything to the group but that still won't make it appear outside of domain servers. It was aGlobal group, now it's a Universal group…still nothing.

The group is itself member of:

• Administrators (built-in)
• Enterprise Admins
• Organization Management (for Exchange Server)

It's not a member of the Denied RODC Password Replication group, but I guess it's inherited from Enterprise Admins. It still wouldn't make any sense though because Enterprise Admins and Domain Admins both work outside of Windows.

Why is this happening? How can I get the group to show outside of Windows?

I bet you think this post is about you. Don't you…don't you. ♪

Hi,

I have a single domain controller with 2 drives and I have installed the NTDS and SYSVOL folders to a separate drive (D). At first I was doubting to install them on the same drive (C) but I read somewhere that it is better to put them on a seperate drive (for performance/space requirements). 

However, now I want to configure a system state backup to a local drive but Windows Server Backup (WSB) does find any suitable local drives. I guess this is because C is used for the operating system and D is used for SYSVOL and NTDS folders. 

Now I would like to move SYSVOL and NTDS to the C drive so I can configure my backup but it seems the only way to do this is to demote and re-promote the DC. However, this is a live production environment so I can't just do that.

Does anyone have an idea on how I should proceed? Is there another way to move the NTDS and SYSVOL folders?

Thanks already!

Hello

I've an Active Directory forest with a parent domain (example.intranet) and a child domain (labs.example.intranet). In DNS zone of example.intranet there is a zone delegation for labs.example.intranet, this zone delegation has three NS resources (the child domain has 3 domain controllers), as far as I know when a client of the parent NS asks them for a resocurce in labs.example.intranet, the parent NS will return the client the list of NS available for child zone. In Active Directory Sites and Services each child domain domain controller it's associated to a specified network. But I've the following doubt: when a DNS client asks to the parent domain NS for a resoruce in the child domain: in what order are returned the three NS of child domain defined in the zone delegation and what NS will be used the first? Are Active Directory Sites and Subnets relevant for this NS order? Is there any way to force what NS is returned first? Is it random or depends of the subnet location of the client? And, if the firts NS returned can't answer to the client, Will the client use the next NS until it gets an answer?

Thanks in advance

Thanks & Regards,
Param
www.paramgupta.blogspot.com

I have two situations and I have some thoughts but wanted some assistance.

1.) Max Password Age set to 90 days. User is remote. Password expires while laptop is NOT connected to the domain network. From what I understand, the cached creds will work indefinitely on the local machine and if they VPN in again (RSA and user cert auth,) they will be prompted to change their password and not allowed to connect to domain resources until the password changes. I am not certain if this is correct or not, though.

2.) If a user is working remotely and connected to the domain network via VPN and while they are connected to the domain, their domain account is disabled, they will no longer be able to log into their laptop, even off domain. Again, I'm not certain if this is correct and looking for some assistance.

Thanks in advance!

WB

Why does the domain controller change its own "whenchanged" attribute ?

Are these changed periodically by the domain controller itself ?

What are the causes changes in the attribute ?

Recently one of our AD LDAP connected applications stopped authenticating users .While they asked if there was any change done at the DC ,WE said No change ..but then they came out with a LDAP screen shot shows the Domain controller had some changes ..they showed the "whenchanged" attribute of the domain controller which coincided with LDAP authentication issue which they faced on their Application

Can I know the domain controller by itself changes this value ..does installation of patch change this attribute?

Shiva

Hi,

Few weeks before we migrated our 3 DC's from 2008 R2 to 2016 currently both Forest & Domain functional lever is Windows Server 2008R2, everything seems to be fine but when generated AD Active Health report shows the following error message in all 3 DC's

1. Sysvol mode is not DFS-R

2. Advertising failed, consider running: dcdiag.exe /test:Advertising

3. DNS failed, consider running: dcdiag.exe /test:DNS

4. VerifyEnterpriseReferences failed, consider running: dcdiag.exe /test:verifyEnterpriseReference.

When executing the dcdiag receive with the following result, kindly advise further!

Thanks in advance

Hello,

I have 3 DC on two sites ("bleu", "blanc" and "rouge"). They are powered by server 2008r2 or 2019.

Due to a major issue, I have restored this 3 DC a few months ago (entire VM, same backup day).

Now when I create a new object on "rouge" I got event ID 12293:

There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is CN=xxxxxxxxxxxxxxxxxxx. All duplicate accounts have been deleted. Check the event log for additional duplicates.

"bleu" and "rouge" are sharing the same rid allocation pool.

"bleu": Starting test: RidManager
* Available RID Pool for the Domain is 39107 to 1073741823
* "bleu".contoso.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 37107 to 37606
* rIDPreviousAllocationPool is 37107 to 37606
* rIDNextRID: 37122

"rouge": Starting test: RidManager
* Available RID Pool for the Domain is 39107 to 1073741823
* bleu".contoso.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 37107 to 37606
* rIDPreviousAllocationPool is 37107 to 37606
* rIDNextRID: 37112

DC "blanc" is ussing a different rIDAllocationPool

Could you please confirm that "bleu" and "rouge" must not share the same rIDAllocationPool.

May I simply get a new RID pool by applying this article: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc733186(v=ws.10)?redirectedfrom=MSDN

Similare issue: https://social.technet.microsoft.com/Forums/windows/en-US/3f2f520e-40b0-4e86-bf4d-0b2876803529/user-accounts-deleted-when-creating-new-security-principals?forum=winserverDS

Thank you very much for your help on this topic.

Regards,

Mr Framboise

If anyone could please assist, attempting to add a new domain controller and I am getting the following error message.

I've verified that replication does not have any errors and have also made sure that the meta data is cleaned up, in ADSI, Sites and Services and ADUC. I've tried this with 2 different servers (different names even).

DCDIAG testing DNS successful.

07/12/2016 16:46:31 [INFO] Replicating data CN=Configuration,DC=companydomain,DC=int: Received 5808 out of approximately 5808 objects and 271 out of approximately 1077 distinguished name (DN) values...
07/12/2016 16:46:33 [INFO] Replicating data CN=Configuration,DC=companydomain,DC=int: Received 6648 out of approximately 6648 objects and 1294 out of approximately 1294 distinguished name (DN) values...
07/12/2016 16:46:33 [INFO] Replicating data CN=Configuration,DC=companydomain,DC=int: Received 6773 out of approximately 6773 objects and 1414 out of approximately 1414 distinguished name (DN) values...
07/12/2016 16:46:33 [INFO] Replicated the configuration container.
07/12/2016 16:46:33 [INFO] Replicating critical domain information...
07/12/2016 16:46:34 [INFO] EVENTLOG (Warning): NTDS Replication / Replication : 1203
The directory service could not replicate the following object from the source directory service at the following network address because of an Active Directory Domain Services schema mismatch.



Object:
CN=Users,DC=companydomain,DC=int

Network address:
svp-mdc-dc1.companydomain.int



Active Directory Domain Services will attempt to synchronize the schema before attempting to synchronize the following directory partition.

Directory partition:
DC=companydomain,DC=int

07/12/2016 16:46:34 [INFO] Error - Active Directory Domain Services could not replicate the directory partition DC=companydomain,DC=int from the remote Active Directory Domain Controller svp-mdc-dc1.companydomain.int. (8418)
07/12/2016 16:46:34 [INFO] EVENTLOG (Error): NTDS General / Internal Processing : 1168
Internal error: An Active Directory Domain Services error has occurred.



Additional Data

Error value (decimal):
-1073741823

Error value (hex):
c0000001

Internal ID:
30017c6

07/12/2016 16:46:34 [INFO] EVENTLOG (Informational): NTDS General / Service Control : 1004
Active Directory Domain Services was shut down successfully.

07/12/2016 16:46:34 [INFO] Active Directory Domain Services is attempting to recursively delete the \Registry\Machine\System\CurrentControlSet\Services\NTDS registry key (DeleteRoot=0).
07/12/2016 16:46:34 [INFO] Active Directory Domain Services is attempting to recursively delete the \Registry\Machine\System\CurrentControlSet\Services\NTDS\Diagnostics registry key (DeleteRoot=1).
07/12/2016 16:46:34 [INFO] Active Directory Domain Services successfully deleted the \Registry\Machine\System\CurrentControlSet\Services\NTDS\Diagnostics registry key (DeleteRoot=1).
07/12/2016 16:46:34 [INFO] Active Directory Domain Services is attempting to recursively delete the \Registry\Machine\System\CurrentControlSet\Services\NTDS\Parameters registry key (DeleteRoot=1).
07/12/2016 16:46:34 [INFO] Active Directory Domain Services successfully deleted the \Registry\Machine\System\CurrentControlSet\Services\NTDS\Parameters registry key (DeleteRoot=1).
07/12/2016 16:46:34 [INFO] Active Directory Domain Services successfully deleted the \Registry\Machine\System\CurrentControlSet\Services\NTDS registry key (DeleteRoot=0).
07/12/2016 16:46:34 [INFO] NtdsInstall for companydomain.int returned 8418
07/12/2016 16:46:34 [INFO] DsRolepInstallDs returned 8418
07/12/2016 16:46:34 [ERROR] Failed to install to Directory Service (8418)
07/12/2016 16:46:42 [INFO] Starting service NETLOGON
07/12/2016 16:46:42 [INFO] Configuring service NETLOGON to 2 returned 0
07/12/2016 16:46:42 [INFO] The attempted domain controller operation has completed
07/12/2016 16:46:42 [INFO] Updating service status to 4
07/12/2016 16:46:42 [INFO] DsRolepSetOperationDone returned 0

Hello guys I need your help troubleshooting multiple issues on Windows Server 2016.

First thing I noticed is when I connected using Remote Desktop and tried to do a query on SQL Server, it took ~7.5 seconds to query 72k rows, but when I connect application remotely on my PC it takes ~3 seconds.

Also I think server has huge Active Directory and DNS problems which might be related to SQL poor performance and if someone can point me in the right direction I would appreciate that so much. I will provide any information you need.

I want to add that server also has Active Directory Replication problem.

Here is an DCDIAG log: https://pastebin.com/b5dNZ2nt

Thanks in advance!

Dear Team

I want to 2 way replication DC(primary domain controller) to Secondary domain controller, when i do the create user in DC but it takes more replication time in secondary domain controller, please advice server end site and service and other tools.

Parvez

Dear All,

We have a customer with Windows 2008 R2 domain controllers and plan to introduce Windows 2012 domain controllers and decommission the Windows 2008 R2 domain controllers one by one. We are trying to identify the applications authenticating with the current domain controllers. Please let me know what are the logs we can capture in the domain controller side to identify the application servers which are authenticating with AD and identify the NTLM legacy applications authenticating through domain controllers.

Thanks and Regards,

Hariharan

Hi Experts,

I'm having a weird issue with our shared folders (DFS namespace) that several users complain on intermittent mapped drive disconnections.

Symptoms :

They get either 'unexpected network error' OR 'element not found' errors on accessing shared folders and if we acknowledge the error by clicking 'YES', they can enter.

Sometimes, even if they managed to access a particular folder, the sub folders wouldn't be visible. The issue comes back and forth at irregular intervals. I have several clients who have never faced issues with the same shared folders too. So far this issue is reported with few users. (I'm not sure if this issue is propagating and one day everyone else would face this!)

Changes in infrastructure & Troubleshooting done so far:

I started noticing this issue after upgrading my DCs to Windows 2016. There is no visible errors seen on executing dcdiag,netdiag or repadmin to check the AD health.

Even the File Servers are fully updated too and I couldn't see any errors related to this except for the successful file/folder access events in Security Audit logs inside the File Servers.

As a workaround, I have mapped the folder using the \\server\share on one of the PC's and this works fine without an issue. But the issue pops up the moment I mapped the shared folder using the DFS path again.

All the Client PC's are Windows 10 (different builds) with latest patches installed and fully updated. 

When the PC is rebooted, the folder access works for some time without an issue.

But when I reverted it back again to map the folder using the DFS path, the issue pops up.

Please shed some light on what could possibly be going wrong!

Thanks in advance and regards,

Techie