I have a random bunch of computers that are Windows 7 part of my domain that are randomly losing their trust relationship on a random basis.  I currently have a Windows 2008 Primary DC with a 2K8 R2 Secondary DC providing to 287 computers.  Right now we are migrating away from Windows XP so I would have to say that the ratio of XP machines is 60%.  It just started recently where the Windows 7 computers will randomly lose their security trust with the domain.  There's no rhyme or reason to it.  It will happen to a computer we installed with less than a week, and hit another computer that was installed almost 2 years ago.  I've seen quite a few other people having issues with W7 machines acting the same way and I know the "fix" is to dis-join it from the domain and rejoin it but its not a permanent solution.  All these machines are spanning multiple cities and all our Admins are based in Dallas.  we'll have computers in Ft Worth, Houston, Anna, and Longview texas all randomly behave this way and all are windows 7 pro SP1 machines from different manufacturers.   all the DNS records are up to date.  There are no AD replication error, in fact there are no errors at all on my DCs. No changes have been made to any GPOs or AD.  Any assistance is appreciated as this is bizaare since our domain has been working without a hitch for the past 3-4 years no issues.  

Thank You,

David

To Testart One queTestion what is canonical dacl ?

Command Used (all in One Line CMD) following command gives the users/groups mentioned in the command all Generic Access which is equivalent to FULL CONTROL

C:\>FOR /F "tokens=* usebackq"  %i in (`dsquery computer "OU=Comps,dc=Testdom,dc=com"`) DO dsacls %i /N /I:S /P:Y /G

Testdom\adminiTestrator:GRGEGWGA "NT AUTHORITY\SYTestEM":GRGEGWGA "NT AUTHORITY\Enterprise Domain Controllers":GRGEGWGA "NT

AUTHORITY\SELF":GRGEGWGA "Testdom\Enterprise Admins":GRGEGWGA

C:\>dsacls "CN=TestTETestCL01,OU=Comps,DC=Testdom,DC=com" /N /I:S /P:Y /G Testdom\adminiTestrator:GRGEGWGA "NT AUTHORITY\S

YTestEM":GRGEGWGA "NT AUTHORITY\Enterprise Domain Controllers":GRGEGWGA "NT AUTHORITY\SELF":GRGEGWGA "Testdom\Enterprise

Admins":GRGEGWGA

Owner: Testdom\Domain Admins

Group: Testdom\Domain Admins

Access liTest:

{This object is protected from inheriting permissions from the parent}

Permissions inherited to subobjects are:

Inherited to all subobjects

Allow Testdom\Enterprise Admins     FULL CONTROL

Allow Testdom\AdminiTestrator         FULL CONTROL

Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS

                                      FULL CONTROL

Allow NT AUTHORITY\SELF               FULL CONTROL

Allow NT AUTHORITY\SYTestEM             FULL CONTROL

The command completed successfully

AND FOLLOWING COMMAND gives the users/groups mentioned in the command all Special-Permissions, Control Access'..
 JuTest to check and confirm if this make any difference,

C:\>FOR /F "tokens=* usebackq"  %i in (`dsquery computer "OU=Comps,dc=Testdom,dc=com"`) DO dsacls %i /N /I:S /P:Y /G s
 tTestdom\adminiTestrator:SDDTRCWDWOLCCCDCWSRPWPCALO;;Computer "NT AUTHORITY\SYTestEM":SDDTRCWDWOLCCCDCWSRPWPCALO;;Computer "
 NT AUTHORITY\Enterprise Domain Controllers":SDDTRCWDWOLCCCDCWSRPWPCALO;;Computer "NT AUTHORITY\SELF":SDDTRCWDWOLCCCDCWSR
 PWPCALO;;Computer "Testdom\Enterprise Admins":SDDTRCWDWOLCCCDCWSRPWPCALO;;Computer

C:\>dsacls "CN=TestTETestCL01,OU=Comps,DC=Testdom,DC=com" /N /I:S /P:Y /G Testdom\adminiTestrator:SDDTRCWDWOLCCCDCWSRPWPCA
 LO;;Computer "NT AUTHORITY\SYTestEM":SDDTRCWDWOLCCCDCWSRPWPCALO;;Computer "NT AUTHORITY\Enterprise Domain Controllers":SDD
 TRCWDWOLCCCDCWSRPWPCALO;;Computer "NT AUTHORITY\SELF":SDDTRCWDWOLCCCDCWSRPWPCALO;;Computer "Testdom\Enterprise Admins"
 :SDDTRCWDWOLCCCDCWSRPWPCALO;;Computer
 Owner: Testdom\Domain Admins
 Group: Testdom\Domain Admins

Access liTest:
 {This object is protected from inheriting permissions from the parent}
 Permissions inherited to subobjects are:
 Inherited to computer
 Allow NT AUTHORITY\SYTestEM             FULL CONTROL
 Allow NT AUTHORITY\SELF               FULL CONTROL
 Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
                                       FULL CONTROL
 Allow Testdom\AdminiTestrator         FULL CONTROL
 Allow Testdom\Enterprise Admins     FULL CONTROL
 The command completed successfully

C:\>

ALSO Once I reset or for that matter juTest check a new one property either for Allow or Deny,
 Or JuTest Uncheck and Recheck any property using ADUC GUI Object is shown as Computer and not as "UNKNOWN" any more,

ALSO Once the Switch /P:N/Y is not Used Object Stays as known,
Object is displayed as Computer with No Issues, However my requirement is to disable Inheritance on the Computer Objects, and Using the /P:Y for Protection and disabling inheritance causes the object to change into an UNKNOWN Object....

Hello!

apologies for my bad English

Have read through different sites and services links and got stuck with few questions - I have recently taken over AD role from previous admin

our setup below please :

------------------------

We have 4 physical sites

Dusseldorf, cologne, Frankfurt and nuremberg . Each of these sites have 1 Domain controller each and each site has 500 users .

( Dusseldorf near site is Cologne )
(Cologne near site is Frankfurt )

(Frankfurt near site is Nuremberg)

-------------------------

BASL is enabled and all 4 sites have netework connectivity.

There is only one site link with all 4 sites into the site link with site link cost 100 , when we did a DR activity , we found that

when Dusseldorf site was shutdown - No IP connectivity, clients were authenticating to Nuremberg rather cologne

and when started analyzing the behavior , I read through Ace fekay blog post

http://blogs.msmvps.com/acefekay/2013/02/24/ad-site-design-and-auto-site-link-bridging-or-bridge-all-site-links-basl/

I have two questions

^^ DO I need to remove 4 sites from site link and configure , 3 site links ? assuming one site has complete AD replica and other sites replicate from main site ?

^^ clients DNS on dusseldorf is configured with itself as primary and cologne site as secondary , when client queries the DNS LDAP for site specific records, will DNS check for site link cost ?

Eg: in the event of site failure

      - I restart the client

      - client in Dusseldorf queries primary DNS till the timeout and then it will query secondary DNS which is pointed to Cologne

      - Secondary DNS will return list of DC's from _LDAP._TCP.dc._msdcs.domainname

      - client sends the ping to dusseldorf DC and gets no result, but receives reply from all other 3 site DC's and one of the DC  will refer client to particular site based on its IP subnet

         < does DC checks site cost before assigning site to subnet or site cost is only considered during replication ?

Hello! I faced with trouble - there was 1 domain (mydomain.com) and domain controller, dc1.mydomain.com. So I added one more domain controller, it's name dc2.mydomain.com. Replication was OK, 5 FSMO roles OK also:

netdom query fsmo

Schema master               dc2.mydomain.com

Domain naming master   dc2.mydomain.com

PDC                                 dc2.mydomain.com

RID pool manager           dc2.mydomain.com

Infrastructure master     dc2.mydomain.com

So clients are working with domain even if dc1.mydomain.com is offline. But when I'm trying to demote dc1.mydomain.com I receive error message:

"The operation failed because: Active Directory Domain Services could not transfer the remaining data in directory partition DC=ForestDNSZones,DC=mydomain,DC=com to Active Directory Domain Controller \\dc2.mydomain.com. The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles." 

What can it be? Thank you.

We're currently using ADFS 2.0 and IFD for Dynamics CRM 2013, this works without issue.  We've recently developed an addon for CRM 2013 that runs side-by-side with CRM on it's webserver.  Right now, in development (not connected to ADFS, only production is), the web app runs on Active Directory authentication and works properly.  While deploying to production, we realized that ADFS was now in the picture and concluded a trust likely needed setup.  This led to complications:

1. Whether being access internally or externally, the web app was unable to authenticate.  
2. During internal access attempts the authentication would simply fail; during external access attempts the link to the web application 404'd and returned nothing.

Questions:

1. So, does the fact that this application wasn't built to account for ADFS make it a non-claims aware application?
2. What needs to be done to this web app to prepare it for an ADFS 2.0 implementation?
3. Is there additional code that needs written?
4. Can the current authentication method it uses (AD) be manipulated to work with ADFS without any code changes (proper configurations in ADFS Management)?

I think this is an easy question but I'm having trouble find a clear answer.  In preparation for a domain migration we have a few user account conflicts, so the logon name for the user's domain account needs to be changed since it's already in use.  If I change the user's logon name, what happens profile-wise on the local computer?  Ideally the local pc would pickup on the new name but identify that in fact it's the same user and change or migrate the local profile, however it does it.  Someone care to enlighten me?

Thanks!

When I run Test-ADDSDomainControllerInstallation I get an error (see below). The server is not domain joined. It is IP, named, has ADDS bits installed and running 12r2 core. I'm a little thrown off by the SafeModeAdministratorPassword parameter, I've tried both supplying the local admin password of the server and the DSRM password used on all DCs in ad.piccola.us forest. The current forest consists of 08r2 DCs with FFL and DFL set to 08r2. 

Thanks! 

PS C:\Users\Administrator> Test-ADDSDomainControllerInstallation

cmdlet Test-ADDSDomainControllerInstallation at command pipeline position 1
Supply values for the following parameters:
DomainName: ad.piccola.us
SafeModeAdministratorPassword: ***********
Confirm SafeModeAdministratorPassword: ***********

Message             Context                  RebootRequired              Status
-------             -------                  --------------              ------
Verification of ... Test.VerifyUserC...               False               Error

Hello,

Intent :- I have a set of users in a specific OU and I would like to filter the security logs for event "4624" on a DC to find out the "Logontype" for each user in the OU.

I have a Powershell script for which I get no Output(blank). I get no errors.  However, I am new to Powershell scripting but every function seems to be in place. I am using Windows Powershell ISE:- 

PLEASE HELP!

LDAP query will not work if OU name contains a space.    Error: There is no such object on the server

Code courtesy of ADSI Scriptomatic. It works fine if the OU name that holds the user object contains no spaces, but fails if it does. I have tried single quotes around the OU name, no luck.  Ostensibly non-trailing-non-leading spaces do not need to be escaped, in fact you get a syntax error if you do that.

Thanks for any assistance

LDAP // replaced with || below to avoid being flaqgged as a link.

'strContainer = "ou=Medina,ou=OH,ou=US,ou=NAUSERS"           '*** WORKS
'strName = "BenninCF"

strContainer = "OU=Kansas City,OU=KS,OU=US,OU=NAUsers"       '*** FAILS
strName = "Jeffrieb"

'On Error Resume Next

'***********************************************
'*          Connect to an object                 *
'***********************************************
Set objRootDSE = GetObject("LDAP:||rootDSE")

If strContainer = "" Then
  Set objItem = GetObject("LDAP:||" & _
    objRootDSE.Get("defaultNamingContext"))
Else
  Set objItem = GetObject("LDAP:||cn=" & strName & "," & strContainer & "," & _
    objRootDSE.Get("defaultNamingContext"))
End If
'***********************************************
'*         End connect to an object           *
'***********************************************

WScript.Echo VbCrLf & "** General Properties Page**"
WScript.Echo "** (Single-Valued Attributes) **"
strname = objItem.Get("name")
WScript.Echo "name: " & strname
strgivenName = objItem.Get("givenName")
WScript.Echo "givenName: " & strgivenName
strinitials = objItem.Get("initials")
WScript.Echo "initials: " & strinitials
strsn = objItem.Get("sn")
WScript.Echo "sn: " & strsn

There is a heated discussion about this topic and wanted to ask DS team as so many different answers on this page

http://www.linkedin.com/groups/Adding-additional-domain-controller-104959.S.235527208

Please shed some light.

Thanks

Hi,

I want configure my system time into External source at the same time that machine want to be in domain. and that machine won't be communicate with domain for Time sync what are things need to be check ?

what is procedure ?

many thanks in advance

Regards, Hari Prasad.D

Hello All,

I need to change the NetBios name of Active Directory 2012. Can you please anyone give suggest regarding this issue that how can i change NetBios name of Active Directory 2012

Thanks

We have a Server 2008 R2 domain.

I'd read that the password policy in GPO is only available for Computer Configuration, not User Configuration? Is that correct? 

If so, that's not very flexible and will make things trickier for us.  

And regarding enforcing a password policy with a GPO on our local domain, do you know of a way to force users to change their passwords within say 1 week?    (the only options I know of are on the AD User account properties check a box "User must change password at next logon" (then you'd have to force them to log out) OR relying on AD's internal formula: webactivedirectory.com/.../how-active-directory-calculates-account-password-expiration-dates .  The problem I see with the latter is if your user hasn't changed their pw for a year you'd have to wait a year+how many days you set for max password age?

spnewbie

Hello

We are trying to set up a relying partner in ADFS that needs to see the Name ID in all uppercase.  We have a claims rule to send Sam-account-name as the Name ID but it is being sent in lower case.  Is there any way to make ADFS send this information in uppercase?

ex smithj = SMITHJ

Thanks

hello everyone

in our company we are upgrading our DCs to server 2012R2 we have one Dc 2008R2 we installed another DC 2012R2 and make it GC from sites and services the problem appeared when I demoted the 2008 server I noticed that nobody in the company is able to log to the domain I realized that even the global catalog check mark is checked the server is not global catalog when I connect through ldap I see isglobalcatalogready : false I tried many solution to make it global catalaog but no success my solution was to shut down this server and restore the 2008 server from a previous backup now all the users can log to the domain but I only have one DC I tried to add another 2012R2 Dc but DCPromo fails on the prerequisite "check verification of outbound replication failed error reading the ntds settings on replication source controller" I installed another server 2008R2 server since there is no prerequisite check but the same problem occured the new DC is marked as GC but it's not GC I checked port 3268 I ran dcidag and this is the result

dcdiag /test:checksecurityerror

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = 2k8DC
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: mysite\2K8DC
Starting test: Connectivity
......................... 2K8DC passed test Connectivity

Doing primary tests

Testing server: mysite\2K8DC
Starting test: CheckSecurityError
The account 2K8DC is not a DC account. It cannot replicate.
Unable to verify the machine account
(CN=2K8DC,OU=Domain Controllers,DC=mydomain,DC=local) for 2K8DC on
2K8DC.
Source DC WIN-SM5GUTCII7H has possible security error (8453).
Diagnosing...
Error 2184 querying time on DC WIN-SM5GUTCII7H. Ignoring this
DC and continuing...
* Missing SPN
:LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
* Missing SPN :LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@
* Missing SPN :LDAP/WIN-SM5GUTCII7H
* Missing SPN
:LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
* Missing SPN
:LDAP/f67b0f34-07ae-4dec-8ff5-7cd284ecb7b8._msdcs.mydomain.local
* Missing SPN
:HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
* Missing SPN :HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@
* Missing SPN
:HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
* Missing SPN
:GC/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
Unable to verify the machine account
(CN=WIN-SM5GUTCII7H,OU=Domain Controllers,DC=mydomain,DC=local)
for WIN-SM5GUTCII7H on 2K8DC.
Unable to connect to the NETLOGON share!
(\\WIN-SM5GUTCII7H\netlogon)
[WIN-SM5GUTCII7H] An net use or LsaPolicy operation failed with
error 67, The network name cannot be found..
[WIN-SM5GUTCII7H] Unable to verify logon privileges on DC
shares. Please check the above output and take appropriate
steps.
Failed to read object metadata on WIN-SM5GUTCII7H, error
Directory object not found.
[WIN-SM5GUTCII7H] Unable to diagnose problem for this source.
See any errors reported in attempting tests.
......................... 2K8DC failed test CheckSecurityError


Running partition tests on : ForestDnsZones

Running partition tests on : DomainDnsZones

Running partition tests on : Schema

Running partition tests on : Configuration

Running partition tests on : mydomain

Running enterprise tests on : mydomain.local

C:\Users\Administrator>dcdiag /test:checksecurityerror

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = 2k8DC
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: mysite\2K8DC
Starting test: Connectivity
......................... 2K8DC passed test Connectivity

Doing primary tests

Testing server: mysite\2K8DC
Starting test: CheckSecurityError
The account 2K8DC is not a DC account. It cannot replicate.
Unable to verify the machine account
(CN=2K8DC,OU=Domain Controllers,DC=mydomain,DC=local) for 2K8DC on
2K8DC.
Source DC WIN-SM5GUTCII7H has possible security error (8453).
Diagnosing...
Error 2184 querying time on DC WIN-SM5GUTCII7H. Ignoring this
DC and continuing...
* Missing SPN
:LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
* Missing SPN :LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@
* Missing SPN :LDAP/WIN-SM5GUTCII7H
* Missing SPN
:LDAP/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
* Missing SPN
:LDAP/f67b0f34-07ae-4dec-8ff5-7cd284ecb7b8._msdcs.mydomain.local
* Missing SPN
:HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
* Missing SPN :HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@
* Missing SPN
:HOST/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain
* Missing SPN
:GC/WIN-SM5GUTCII7H.@missing_dnsHostName@/mydomain.local
Unable to verify the machine account
(CN=WIN-SM5GUTCII7H,OU=Domain Controllers,DC=mydomain,DC=local)
for WIN-SM5GUTCII7H on 2K8DC.
Unable to connect to the NETLOGON share!
(\\WIN-SM5GUTCII7H\netlogon)
[WIN-SM5GUTCII7H] An net use or LsaPolicy operation failed with
error 67, The network name cannot be found..
[WIN-SM5GUTCII7H] Unable to verify logon privileges on DC
shares. Please check the above output and take appropriate
steps.
Failed to read object metadata on WIN-SM5GUTCII7H, error
Directory object not found.
[WIN-SM5GUTCII7H] Unable to diagnose problem for this source.
See any errors reported in attempting tests.
Authoritative attribute pwdLastSet on 2K8DC (writeable)
usnLocalChange = 5866156
LastOriginatingDsa = 2K8DC
usnOriginatingChange = 5866156
timeLastOriginatingChange = 2014-08-17 08:55:52
VersionLastOriginatingChange = 42
Out-of-date attribute pwdLastSet on WIN-SM5GUTCII7H (writeable)
usnLocalChange = 12868
LastOriginatingDsa = 22a5b57a-fac4-4cfe-9fcb-c545025d3716
usnOriginatingChange = 5830453
timeLastOriginatingChange = 2014-08-13 15:07:23
VersionLastOriginatingChange = 41
Unable to verify the convergence of this machine account
(CN=2K8DC,OU=Domain Controllers,DC=mydomain,DC=local) on these DC's
(DC=mydomain,DC=local,2K8DC). Does the machine account password need
resetting?
......................... 2K8DC failed test CheckSecurityError


Running partition tests on : ForestDnsZones

Running partition tests on : DomainDnsZones

Running partition tests on : Schema

Running partition tests on : Configuration

Running partition tests on : mydomain

Running enterprise tests on : mydomain.local

note that WIN-SM5GUTCII7H is the new DC I renamed it to server 2008R2 but it can't be a global catalog due to the error.
I tried to google this error but I didn't find any solution how to make make it replicate the GC

Best

Hi everyone,

I have 3 ADC's which are windows server 2008 R2 but my primary DC is windows server 2003.

Can i create managed service account. please do guide me how to create the account as i want to use it for sql2012 and sql 2008

Dear Sir,

   I would like to know about miscrosoft Navision. We are planning to devlop Navision for server we use win 2008 r2 and client window 8 but just want to know all client should be under domain or without domain we can use Navision client appls.

Hi

Am looking to install Exchange 2013 alongside our 2010 environment but this won't be for a few months.

However we have a period of a maintenance window where the system can be down, so thinking about extending the schema in this window for preparation.   Just gives us a bit of leeway if anything goes wrong during this process.

I'm 99.9999% sure that it is okay just to extend the schema and then wait a few months before the application is installed but just wanting to double check that I'm not overlooking something. 

Thanks