Hi,

There is a requirement for automated creation of domains in our environment.

We need to create 100s of domains in AD. Is there a way we can automate this process either through powershell, or some other interface? I see examples of reading doimains etc. but none talked about creating a new one programmatically.

Hi,

I have a Forest Trust from Forest A to Forest B.  Both are at Server 2008 R2 levels.  Forest A has one Forest/Domain, whereas Forest B has a Forest Root and a Domain which is not a child, but a seperate Tree.

While in the local admins group on a member server in Forest A, I try to add a User account or Glogal Security group from the Domain in Forest B.  Both attempts yield a 'not found' message even though I can see the Forest B in the object picker when I attempt the operation. 

While on a Domain Controller in Forest A, when I define a Domain Local group in Forest A, I can add either a Global Security group or local User account from the Domain in Forest B.  So no problems doing the operation to the Domain in Forest B while on a Domain Controller.

Any ideas on why I cant add Users or Groups from the Domain in Forest B to the local Admins group on a member server in Forest A?

Thanks for your help! SdeDot

Good afternoon,

Next week I'm going to start upgrading all of our domain controllers with brand new rack mounted servers.  We currently have 3 domain controllers in different cities, all three running Windows Server 2008 R2.  All 3 of the new servers are running Windows Server 2012 R2.  I'm going to start with one DC at a time and just demote the old one and promote the new one.  My question is can a Windows Server 2012 domain/forest functional level co-exist with a Server 2008 Domain/Forest functional level? Since I'm doing one DC at a time there will always be a time until the last DC is replaced that Server 2008 R2 and Server 2012 R2 DC's will live in the same forest together.  Should I just install the new Server 2012 R2 DCs as a Server 2008 functional level and then go back and upgrade them all at once?

I understand that with transitivity if I have 3 sites, Site A, Site B, and Site C, and I have created site links between A & B, and A & C, there will be a transitive site link between B & C.

What I am wondering is if there is any advantage or disadvantage to going ahead and creating a site link between B & C?

Thank you.

Kenny

Hi

I have recently introduced the first Server 2012R2 Domain Controller into our environment.

We currently have Server 2008 DC, and my plan was to upgrade a DC on a remote site to Server 2012 R2.

The upgrade appears to be successful, but only a few days later we started noticing issues.

We have some Server 2003 servers on that site to support legacy applications. When we try to RDP to the 2003 servers, we receive the following:

            The system cannot log you on due to the following error:
            The RPC server is Unavailable

I suspect the 2012R2 DC has disabled some authentication method that I need to manually  re-enable.

I’m sure the problem can be easily resolved, and I’m looking for anyone else who has had a similar issue that has managed to resolve it.

Hi

I have a Windows Server 2003 Parent Child Domain/Forest. In the parent domain, I have one 2008 R2 DC. I did not even realize till now that the Sysvol and Netlogon Shares are missing on this. I prepped the parent domain for Windows Server 2012 and introduced Windows Server 2012 R2 domain controller. I realized I am getting the same issue. However, when I introduce a Windows Server 2012 R2 domain controller in the child domain, it works fine.

I came across some forums with the same issues and they recommended some registry tweaks, but those didn't work for me.

When I run dcdiag, I see messages like: Any Ideas????

Starting test: NetLogons
          Unable to connect to the NETLOGON share!

Starting test: Advertising
          Warning: DsGetDcName returned information for
          \\<<Server>>, when we were trying to reach <<Server>>.
          SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
          ......................... <<Server>> failed test Advertising

jk

Hi,
we have two forest.
Forest A (windows 2003) contains the dhcp server
Forest B(windows 2008r2) use dhcp server of forest A
the two forest have bidirectional trust relationship in place
when I move workstation from forest a to foerest B pc doesn't register in the new forest.
The primary DNS of every workstation in the two forest is a domanin controller placed in forest A.
DNS name resolution between two forest works fine.
What can I check?

Thank you 

Luca Pozzoli

We have experienced some issues with 2 of our DC's in one of our Exchange AD sites and therefore we would like to rebuild these 2 DC's using new servers but using the same name and IP address from the DC's they will replace. Here are some key points to my Active Directory and the plan which we would like to execute in order to rebuild the 2 Domain Controllers with DNS:

• Our Active Directory spans the globe and consists of approximately 30+ AD Sites.

• We have 40+ Domain Controllers total in our Active Directory.

• We are looking to rebuild 2 DC’s in one of our Exchange AD Sites.

• Both of these DC's are DNS servers.

• We are planning to first demote one of the DC’s and once it is fully demoted, wait 15 minutes for AD Replication. Afterwards, rename server (demoted DC) and then shut it down.

• Assign new server (VMware VM) the IP address and name from the just demoted DC. After the rename is complete, run DCPROMO to promote it as a DC with DNS. The end result will be a brand new DC with the exact same name and same IP address as the old just demoted DC.

• Once the promotion is complete, wait 15 minutes and perform the same steps with the other DC.

• Neither of these DC's hold any FSMO roles and all DNS zones are AD integrated.

• Domain and Forest Functional Level is Windows Server 2008R2

Does anyone see an issue with this plan? I just want to make sure there is no issue with demoting a DC, and then 15 minutes later promoting a DC with the exact same name and IP address as the one we previously demoted.

The reason I'm using the same name and IP address is that there is more than likely many systems that are pointed at these 2 DC's for DNS, etc. and I don’t have the time to hunt those down and change the configs on systems that may be doing so.

Hello Experts,

I want to know each and every thing about ADDS. How would I become master in Active directory.

I am working in active directory but still I think I would like to know more.

Thanks in advance.

Regards

Biswajeet

Hi!

One of our domain pcs' computer account has been deleted from active directory due to some unknown reason. The administrator account on this pc is also disabled and the user is unable to login to domain. We created a computer account manually in the domain controller but it did not work.

Any Suggestion?

Thanks.

Hi all,

I have two servers running Server 2012 R2.

There are two AD sites, in site 1, I have the primary ADFS server running on a member server.  In site 2 I have a secondary ADFS server running on the only DC in the site.  There will be WAP servers publishing these servers in either site.

I successfully set up the first ADFS server in site 1, and this is working ok.  However, when I set up the server in site 2 I get the following error during the prerequisite checker:

Could not load file or assembly 'System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. Access is denied.

Unable to retrieve configuration from the primary server. Could not load file or assembly 'System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. Access is denied.

I ran this as my domain admin account and also as domain\administrator which is seldom used.

When I run the resulting PowerShell script, I get errors relating to the GSMA, so not sure if that is where my issue lies.  Here is the script:

# Windows PowerShell script for AD FS Deployment
#

Import-Module ADFS

# Get the credential used for performaing installation/configuration of ADFS
$installationCredential = Get-Credential -Message "Enter the credential for the account used to perform the configuration."

Add-AdfsFarmNode `
-CertificateThumbprint:"Thumbprint Here" `
-Credential:$installationCredential `
-GroupServiceAccountIdentifier:"DOMAIN\STSSvc`$" `
-PrimaryComputerName:"machine.domain.net"

I tried using the FQDN of the ADFS server as well as the common name of sts.domain.net, neither worked.

Any suggestions?

Andrew Hodgson

We have an environment which consist of two separate domains and forests. Domain N is located in Norway and Domain P in Poland. There is an AD trust configured between both domains. Each user has it's own user account in each domain. Each domain has it's own GPO with folder redirection configured. We are trying to figure out what we can do to give users they personal data for both user accounts (from one place), e.g. user1@domainN.com is saving document in My documents which is redirected to \\server1.domainN.com\users$. And what is the best way to allow the user1@domainP.com to get access to this data?

Hi all,

Just making sure I havent missed anything out.

1. All FSMO roles have been transfered to the new domain controllers (2008)
2. The new DC's are all Global Catalogues
3. The DNS roles have been removed on the 2003 DC's for a week and no problems were found.
4. The net logon service has been disabled for a week on the 2003 DC's and no problems were found.
5. We have a single site so I moved the bridgehead role over to one of the new DC's.Did I need to do this????????
6. Ran DCpromo on one of the 2003 dc's and which went through no issue apart from leaving some dns records in DNS (.svr files) which I cleaned up manually.
7. I ran ntdsutil.exe to make sure there was no sign of the server in the server list, which there wasn't.
8. Replication is working fine this morning and no issues reported.

Have I missed anything before I demote the next one?

Thanks

Mac

Hi i have 2 DC's in my environment,

DC1 -2008R2

DC2 -2003R2

i am replacing the Server 2003R2 DC1 with a new 2012R2 DC, part of this is updating the Schema, Forest and Domain to accommodate the 2012R2 DC

shortly a Site office will be installing 2 new DC's DC3 and DC4 but they only have licenses for 2012, not 2012R2 are there any issues with running the ADPREP from 2012R2 then installing 2012 DC's later in the same domain?

just wanted to be sure.

Sorry for the stupid question! 

many thanks

Can you please advise what Microsoft best practices are on installing SIEM agents on AD and Exchange for log collection.

For Instance Qradar solution insists to install WinCollect on AD and Exchange, but I am reluctant fearing that it will utilize compute and memory resource creating bottlenecks..

I would rather collect information through WMI..

Any Microsoft document strengthening my opinion?

Ikhlass M. Wardally

I want to understand if we change User logon Name to Employee Number format in Active Directory for all User accounts, then what would be the impact on existing profile. Whether we need to change it manualy or it will connect to same profiles in terminal session.

As i observed it create new profile after logon name changed to employee number where existing users profile settings get fails to load and prompt for new settings (such as outlook reconfiguration, share drive mapping etc.).

Kindly let me know the proper process to overcome with this, how to connect same existing roaming profile with employee number format change.

Hi,

I've reviewed an awful lot of posts but nothing seems to be helping on the issue I have.  I'll explain the background - there was/is a two-tier PKI with Standalone Offline Root and Enterprise Issuing CA. Issuing CA running 2008 R2. Smart cards were working fine.  This was setup many years ago and since then the Root CA has been lost (before my time here - possibly deleted, lost during Datacentre migration - it doesn't matter how, but it's gone so I'm unable to update the CRL).

The CRL certificate expired and smartcards failed to login. Other certs have a warning, but continue to function atm.

I have stood up a new two-tier PKI with 2012 R2, offline root and enterprise issuing CA.  I've removed the templates from the old issuing CA and enabled them on the new Issuing CA. All certs except Smart Cards are working.

PKIView is all good, CDP & AIA are all available with no errors on the new PKI.

Certutil -enterprise -verifystore NTAuth displays the certificate (and the previous Root, and the one before that!)

================ Certificate 2 ================
Serial Number: 41000000027aa36b1fa6fe556c000000000002
Issuer: CN=Root-CA
 NotBefore: 28/11/2014 17:37
 NotAfter: 28/11/2024 16:53
Subject: CN=Issuing-CA1, dc=domain, dc=local
CA Version: V0.0
Certificate Template Name (Certificate Type): SubCA
Non-root Certificate
Template: SubCA, Subordinate Certification Authority
Cert Hash(sha1): 69 dc 5b 2d ce 03 60 9a c8 c7 65 e4 17 66 59 19 f4 f3 9b 23
No key provider information
Cannot find the certificate and private key for decryption.
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 4 Days, 17 Minutes, 57 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 4 Days, 17 Minutes, 57 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=Root-CA
  NotBefore: 28/11/2014 17:37
  NotAfter: 28/11/2024 16:53
  Subject: CN=Issuing-CA1, dc=domain, dc=local
  Serial: 41000000027aa36b1fa6fe556c000000000002
  Template: SubCA
  69 dc 5b 2d ce 03 60 9a c8 c7 65 e4 17 66 59 19 f4 f3 9b 23
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL 02:
    Issuer: CN=Root-CA
    e2 4f 10 52 dc 51 ce 69 f3 34 84 20 8d ee 7d cb 35 6c e0 d6

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=Root-CA
  NotBefore: 28/11/2014 16:43
  NotAfter: 28/11/2024 16:53
  Subject: CN=Root-CA
  Serial: 7a06617d72011bbd4eca9c7045377537
  a6 d0 cc ad 60 75 12 6f 93 ce 36 50 56 01 ff 7e c1 de 0e 65
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  78 51 c3 a3 43 70 48 34 4f 77 a6 86 aa 72 b7 cc 85 2c e6 ef
Full chain:
  12 e1 0e 77 c2 7f 9e f8 dc 62 5e 15 70 1d 82 7c b9 a0 ff 5e
  Issuer: CN=Root-CA
  NotBefore: 28/11/2014 17:37
  NotAfter: 28/11/2024 16:53
  Subject: CN=Issuing-CA1, dc=domain, dc=local
  Serial: 41000000027aa36b1fa6fe556c000000000002
  Template: SubCA
  69 dc 5b 2d ce 03 60 9a c8 c7 65 e4 17 66 59 19 f4 f3 9b 23
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800
------------------------------------
Certificate is NOT valid: A certification chain processed correctly, but one of the CA certificates is not trusted by
x800b0112 (-2146762478)

Certutil -verify %cert.crt% looks OK

certutil -verify c:\newdomainauthcert.cer
Issuer:
    CN=Issuing-CA1
    dc=domain
    dc=local
Subject:
    EMPTY (DNS Name=DC1.domain.local)
Cert Serial Number: 67000000407709f626c5a6a2a1000000000040

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 3 Days, 22 Hours, 23 Minutes, 12 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 3 Days, 22 Hours, 23 Minutes, 12 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=Issuing-CA1, dc=domain, dc=local
  NotBefore: 02/12/2014 14:21
  NotAfter: 02/12/2015 14:21
  Subject:
  Serial: 67000000407709f626c5a6a2a1000000000040
  SubjectAltName: DNS Name=DC1.domain.local
  Template: Domain Controller Authentication
  c4 eb fe ac 5c a6 5b b5 37 c2 0d 59 5e 1e 7d c1 ff ac d3 85
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL 12:
    Issuer: CN=Issuing-CA1, dc=domain, dc=local
    4c b8 cb c3 ca 25 ad 13 d2 f8 82 6d c0 ab 04 aa 8b 65 e3 c5
    Delta CRL 13:
    Issuer: CN=Issuing-CA1, dc=domain, dc=local
    a7 cd 33 aa b2 ed 8e a7 5c 22 cf 60 98 45 d8 3b 4e 34 45 d4
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[2] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=Root-CA
  NotBefore: 28/11/2014 17:37
  NotAfter: 28/11/2024 16:53
  Subject: CN=Issuing-CA1, dc=domain, dc=local
  Serial: 41000000027aa36b1fa6fe556c000000000002
  Template: SubCA
  69 dc 5b 2d ce 03 60 9a c8 c7 65 e4 17 66 59 19 f4 f3 9b 23
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL 02:
    Issuer: CN=Root-CA
    e2 4f 10 52 dc 51 ce 69 f3 34 84 20 8d ee 7d cb 35 6c e0 d6

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=Root-CA
  NotBefore: 28/11/2014 16:43
  NotAfter: 28/11/2024 16:53
  Subject: CN=Root-CA
  Serial: 7a06617d72011bbd4eca9c7045377537
  a6 d0 cc ad 60 75 12 6f 93 ce 36 50 56 01 ff 7e c1 de 0e 65
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  66 ef a4 ea bc e8 2e 48 d1 80 81 ef 94 81 63 88 9a 6c d0 ef
Full chain:
  17 08 b2 74 ee 70 70 96 68 0e 8c 9d ac 1a b0 59 a0 12 d7 69
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
    1.3.6.1.5.5.7.3.2 Client Authentication
    1.3.6.1.5.5.7.3.1 Server Authentication
    1.3.6.1.4.1.311.20.2.2 Smart Card Logon
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

On the DCs I am receiving the Kerberos-Key-Distribution-Center Event ID 19 & 29.  I have requested new Domain Controller Authentication & Kerberos Authentication certificates for all DCs, and on the site where we are testing the logon I have removed the old certs from the Computer\Personal store for Domain Controller Authentication/Kerberos Authentication - tried again and still it failed with the message "The system could not log you on. You cannot use a smart card to log on because smart card logon is not supported for your user account...."

When I restart the Kerberos Key Distribution Center service I see the Event ID 29.

I've reviewed the following KB's and all have not helped:

• http://technet.microsoft.com/en-us/library/cc733944%28v=ws.10%29.aspx
• http://technet.microsoft.com/en-us/library/cc734096.aspx

Does anyone have any thoughts why this may be happening?

Thanks

When I try to view settings in a GPO I am getting the error below. I see this when I try to view them while logged into any of my 2012 DC's but when I open the Group Policy Management MMC on my Windows 7 machine it works great.

"The following errors were encountered: Resource '$(string.VerMgmtAuditModeEnable)' referenced in attribute displayName could not be found. File C:\Windows\PolicyDefinitions\inetres.admx, line 1495, column 249"

Thoughts/Suggestions would be appreciated.

Thanks!

Unable to connect to the NETLOGON share! (\\DC02\netlogon)

         [DC02] An net use or LsaPolicy operation failed with error

         67, The network name cannot be found..

         ......................... DC02  failed test NetLogons

Note : I have two dc in the org. one is dc01 and dc02; Both DC'S are having the issue , i mean netlogon is missing on both dc sudden.

any help would be appreciated 

Pradip Sisodiya