I have a 2012 Domain Controller. Appears to be functioning as expected. I can force replications to and from the server with no problems. But, there is a post deployment task pending with a prompt to promote the server to a domain controller.

I would like to clear this flag since the server is already a domain controller. Is there a simple registry key that can be modified?

Thanks,

History:  I migrated a 2003 domain to 2012 R2 (2 DCs), now native.  All was ok until my 1st reboot of the 2nd DC.  It lost its ability to communicate w/the domain.  I've demoted/removed it and am now on 1 DC until I can do some more testing.  DNS is now clean and dcdiag give a clean bill.  This has been running without issues for several weeks.

This AM I get a call and users cannot log into the terminal server.  I reboot it, but the problem persists.  I then try to log onto the DC.  I get a login error, the DC doesn't recognize administrator or the regular domain admin account I typically use.  I'm forced to do a power button shutdown and restart.  After restart I can log in and everything appears to be good.

A review of the event logs show that @ 4:30PM yesterday the scheduled backup (Win Backup) occurred successfully.  Then shortly after 5PM the system logs event 5823 (NETLOGON  The system successfully changed its password on the domain controller .  This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password. ). 

The nothing until ~ 2 1/2 hours later I start getting a bunch of event 4 (kerberos KRB_AP_ERR_MODIFIED)  and 1006 (Group Policy processing failed) errors every couple minutes until I reboot.

Can anyone shed some light on what possibly happened?  Did the automatic change of the system password break AD because I only have 1 DC?

Hi

I was wonder if there was a script or some kind of way which could reset a specific user's password every hour and save the password to a .txt file or maybe to a SQL table? I found one program however it emails the password rather than saving it to a file (and isn't free). I am using the NPS RADIUS server role and would like guests to have temporary access without having to create and delete an account every time (or have a static password allowing them to rejoin the network if they return).

Thanks :)

Hello,

I have a C# application that is installed on every workstation in our entire enterprise, so performance is of the utmost importance.  I'm trying to understand whether System.DirectoryServices.ActiveDirectory.ActiveDirectorySite.GetComputerSite() has the potential to result in any network calls.  I could of swore I read somewhere where the AD Site is cached on the local computer's registry and GetComputerSite() just retrieves it from there (which would be fast).  But what if the computer's site hasn't been cached yet?  Does it result in lengthy network call(s)?  Furthermore, what if, for example, the user connects their workstation to their home network where our enterprise Active Directory is unreachable and there's no cached registry entry?  Would the call to GetComputerSite() hang for a long time before finally timing out?

Sorry for such a low level question but the source code for GetComputerSite() was unavailable at

http://referencesource.microsoft.com/

My app's C# code:

using System.DirectoryServices.ActiveDirectory;
...
string adSite = "";
try {
   adSite = ActiveDirectorySite.GetComputerSite().Name.Trim();
}
catch (Exception e) {
   adSite = defaultSite;
}

We have a few users within AD, who had their AD accounts misspelled early on.  The previous admins cleaned up the user's display names but left their User Logon Name misspelled.

What are the consequences of changing the User Logon Name in AD?   Will it create a new profile under C:\Users the next time that user logs onto the domain?   How does this impact Exchange 2010/2013 accounts?

Domain: Windows 2008 R2 native
Client: Windows 7 (64 bit)

Hi all,

Already 3 month ++ i done a migration from 2003 to 2008. Below are the post before.

http://goo.gl/ShqErG

http://goo.gl/7iDP6X

Now, 3 month past, i realize that there is some problem to sent email to certain domain.

I suspect it is a fowarder issue, but I'm not sure the setting. Attached is my forwarded image.

Before i capture screen, in the forwarder list the IP of the server (192.168.x.x). What should the right IP to put???

Very small 5 user system with 1 Hyper-V 2012R2 host & 2 WS2012 HV guests, one of which is the only DC for the domain, and thus, the PDC Emulator. (A physical DC is beyond their budget.)

HV Time Service is disabled for the DC guest. On the DC I ran the WS32TM command for setting an authoritative time source (0.pool.ntp.org, 1.pool.ntp.org & 2.pool.ntp.org) and it returns the time servers when I use the /QUERY /SOURCE command. There are no Group Policies or registry settings or any other customization of the time server...it's completely default except for setting the external NTP server and disabling HV time service.

When first set up time was set accurately. But after a while (don't know how long or the trigger) it drops back to 20 minutes slow. And it's ALWAYS 20 minutes. Not 19, not 21, 20 exactly.

Another W32TM /RESYNC and it catches up again.

All computers in the domain correctly sync to the DC so there are no auth problems...the problem is the time is off by 20 minutes.

I created a Scheduled Task to run W32TM /RESYNC every 30 minutes on the DC, and I'm hopeful that will avoid the problem. But I would like to understand why this is happening because we have other, similar systems where this is not occurring and I can't figure out what the difference is.

TIA

Jeff

Hi all,

This year we are replacing some 70 desktop & laptop according to company policy for aged hardware. The new machines must have the same name as the old. What would be the best way to remove the old from the domain and add the new with the same name.

Meaning I could go into every old computer and delete the object and then join the new with same name, move it to the appropriate OU etc. Is there any shortcut, like can you prestage a computer with a name of an existing one or 'reset' a computer and then join another pc with the same name?

Many thanks let me know if not clear what I would like to achieve,

Archie

Why isn't there a TechNet forum for ADFS yet? They have been forwarding questions to the "Project Geneva" forum for years now.

It would be nice if there was IT Pro specific forum. The MSDN Geneva forum has people who have programming questions for WIF in addition to people trying to get ADFS and Web App Proxy setup.

WHY?

I am investigating the root cause of a "DNS issue" we had while rebuilding a domain controller and looking for what the actual chain of events is for DNS when you promote a new domain controller. Does anyone know what steps DNS goes through or what triggers steps to happen/wait? (I haven't been able to find that specific information yet)

We have a number of theories for why some clients were not able to resolve a DNS name that didn't change during the 40 minutes it took to demote the old DC (2008) and promote the new one (2008 R2), but all of them come down to timing, and if the server was responding while it was being promoted to being a domain controller.

Going through event logs the DCpromo process was started around 9:54pm and at 10:03:32 DNS server service started, 10:03:40 shows it received a bad DNS packet, then at 10:10:28 it says the ADDS startup was complete, and 10:10:38 it says it is a Domain Controller. Why did DNS log a bad packet before it fully became a domain controller, and why was it even responding if it didn't have the zone fully loaded?

Is there a way to know if it was responding badly to DNS requests during the time it was being promoted to be a domain controller?

at 10:16 when it reported the background loading of all zones was complete all of our issues immediately went away.

I'm trying to figure out why some of our systems didn't go to their secondary DNS server and others did. Some of the clients that had issues were set up through DHCP the same as some that gracefully went to the secondary DNS server.

I got this event 5723 and searched computer1 and it is not shown up in AD users and computers MMC.
why did we get this event even the computer is not in AD database? is there a way to fix this error?

Log Name:      System
Source:        NETLOGON
Date:          3/26/2014 7:44:00 AM
Event ID:      5723
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      domain controller 1
Description:
The session setup from computer 'computer1' failed because the security database does not contain a trust account 'computer1$' referenced by the specified computer. 

USER ACTION 
If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time.  If this is a Read-Only Domain Controller and 'computer1$' is a legitimate machine account for the computer 'computer1' then 'computer1' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller  capable of servicing the request (for example a writable domain controller).  Otherwise, the following steps may be taken to resolve this problem: 

If 'computer1$' is a legitimate machine account for the computer 'computer1', then 'computer1' should be rejoined to the domain. 

If 'computer1$' is a legitimate interdomain trust account, then the trust should be recreated. 

Otherwise, assuming that 'computer1$' is not a legitimate account, the following action should be taken on 'computer1': 

If 'computer1' is a Domain Controller, then the trust associated with 'computer1$' should be deleted. 

If 'computer1' is not a Domain Controller, it should be disjoined from the domain.
E

Wave~Chaser

Hi all,

I want to retrieve a list of nested LDAP groups per user from the Active Directory. I have been searching google for half a day now, but I'm still not sure what approach to use. I have the following requirements:

* The script/program must run in different network environments (I can't be sure if there is a global catelog or AD DS or AD LDS, etc). I will write my own program.
* The membership info will be used in combination with directory ACL's and must be as complete as possible (global groups, universal groups, local groups, perhaps different domains). Distribution groups are not really necessary, because they are not used in the directory ACL's.
* It would be nice to support other LDAP implementations than Active Directory using the same code, but that not a hard requirement. I could use another approach to support a different LDAP.

Now I have figured out five possible approaches (info comes from different sites, please correct me if I'm wrong):

1) tokengroups attribute:
- The attribute contains Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine.
- Returns a list of SIDs which will have to be translated to group names
- The tokenGroups attribute exists on both AD DS and AD LDS
- For AD DS, the tokenGroups attribute is not present if no GC server is available to evaluate the transitive reverse memberships.
- quote from site "Now that I have had a chance to test it though I can definitely say that tokenGroups WILL get the Universal groups from the other domains even if is NOT a GC. I just did it in my test lab."
- Token Groups cannot be retrieved if no Global Catalog is present to retrieve the transitive reverse memberships.

2) tokenGroupsGlobalAndUniversal
- A subset of the tokenGroups attribute. Only the global and universal group SIDs are included.
- If you want consistent results, read tokenGroupsGlobalAndUniversal that will return the same result no matter which DC you are connected to. However, it will not include local groups.
- other source says "tokenGroups will give you all the security groups this user belongs to, including nested groups and domain users, users, etc tokenGroupsGlobalAndUniversal will include everything from tokenGroups AND distribution groups". Not sure if this is correct, I think it doesn't contain local groups.
- The tokenGroupsGlobalAndUniversal attribute exists on AD DS but not on AD LDS.

3) LDAP_MATCHING_RULE_IN_CHAIN / 1.2.840.113556.1.4.1941
- Use a recursive search query which returns all nested groups for user at once.
- Returns all groups except for the primary group
- It's a fast approach, see performance test from Richard Mueller:
http://social.technet.microsoft.com/Forums/fr-FR/f238d2b0-a1d7-48e8-8a60-542e7ccfa2e8/recursive-retrieval-of-all-ad-group-memberships-of-a-user?forum=ITCG
- It only works on Active Directory, not for other LDAP implementations

4) Recursive retrieval of the memberOf attribute
- Retrieves all groups except the primary group. (also local groups from other domains??)
- works for all LDAP implementations
- executes a lot of queries to the LDAP, especially if you want to scan all users/groups (perhaps limited on OU, but still)

5) Store memberOf attribute in local database and calculate the nested groups using recursive queries to the local database
- No heavy load to the LDAP
- Needs space to store the user/group info locally (embedded Derby database perhaps)
- Performs fast since the queries are executed locally
- Works for all LDAP implementations

My thoughts on these different approaches:
* appreach 1) I understand that the tokengroups attribute is not present if no GC server is available. In how many network environments is this the case? This option won't work because I want to support different network environments.
* approach 2) The tokenGroupsGlobalAndUniversal attribute exists on AD DS but not on AD LDS. Same here, in how many network environments is this the case? I don't think I can rely on this approach.
* approach 3) Seems to be a good option. How will it perform compared to approach 5 (local recursive queries)? Won't work for other LDAP implementations
* approach 4) I don't think I want to execute that many queries to the LDAP. I can limit the scan on OU, but still companies can have thousands of users and groups.
* approach 5) Perhaps the best approach. I want to store user/group info locally for fast filtering / reporting (only group DNs, user names, databse id's and membership info as id-id pairs). I only need the memberOf attribute of users and groups, recursive loops are done locally. It will work for all LDAP implementations.

What do you guys think? I'm not a network admin, but a programmer, so I'm no expert in network setups and when to use AD DS or AD LDS. The thing is I want to use this code at different customers without knowing their network setup (except for the domain name(s), LDAP host/port and bind user to connect to LDAP).

Thanks a lot!

Paul

Hi guys,

I currently have 6 physical DCs running 2008 x64 SP2 with a single domain/forest at domain/forest functional level of 2003. I'd like ot get the functional level up to 2008 R2 ASAP. As all DCs are 2008, I should be able to bring it up to 2008 immediately and then enable DFS replication for the sysvol to get that more modern replication :) . The issue then is, can I do an in-place upgrade to 2008 R2 on a 2008 server with the DC role? Anyone done this? Any gotchas ? 

Hi All,

I've run into an issue where I'm delegating rights to an OU and it is not consistently applying to some user objects.  I enable inheritance on the user objects and it reverses after an hour (probably AdminSDHolder protection).  The users arenot members of a protected group.  I have other users who are members of the exact same groups and inheritance does not reverse on them.  The only difference is that the accounts it is reversing on have been ADMT'd.  I verified that they are not members of protected groups in the remote domain.  Is there some additional security that causes user objects which have been ADMT'd to be protected?  If so is there a way around this without editing the AdminSDHolder object since that reduces security?

Thanks!

-Casey

Does DPM allow  restoring a host between two differnet clusters not physically connected but on the same network

any advise how to do this if possible is welcome

regards

David 

Last modified date in number of policies is different in Domain controllers.

In a particular DC ,last modified date is 2011 and in other DC's the same policies last modified date is 2013.I ran repadmin and checked event logs.There is no problem in replication, created a file in the problematic DC and it got replicated to other DC's.

Is it possible of policies having different modified time in different DC?

Thanks,

Vijayaragavan S

I have AD LDS installed on a domain joined server (2012 R2). By default, the instance allows AD LDS principal authentication, Windows principal (AD or local) authentication and, optionally, AD LDS proxy authentication. I want to configure proxy authentication, which is well documented, but I also want to prevent any Windows principal authentication. I can find no documentation on restricting those login mechanisms.

Could anyone point me in the right direction?

Justin Cervero - MS Enterprise Admin - Appalachian State University