Hello, I saw this question / issue several time but couldn´t find the explanation. User needs to change their password every 30 days (no Fine-Grained Password Policy). I have an user object with an pwdLastSet 8/4/2014. The lastLogon attribute is set to 10/30/2014 on one DC and empty on all other DCs (normal behavior).

The lastLogonTimestamp attribute however is set to 7/25/2015 (on all DCs) for that user object.

How is this possible or what can cause an update of the lastLogonTimestamp attribute although the password of the user object is expired ? This circumstance brakes our process to identify inactive users.

Hi,

Can anyone help me with below scenario.

OS : windows server 2008 R2

Domain : Contosocorp.com

I was trying to create an SPN entry for multiple users using below command and the operation aborted saying duplicate spn exist as I was using same SPN entry for morethan one users.

setspn -X gfs.ks.contoso.com/bddge016.ks.contoso.com@DEV.contoso.COM BDE2.CONTOSOCORP.COM\test1
setspn -X gfs.ks.contoso.com/bddge016.ks.contoso.com@DEV.contoso.COM BDE2.CONTOSOCORP.COM\test2
setspn -X gfs.ks.contoso.com/bddge016.ks.contoso.com@DEV.contoso.COM BDE2.CONTOSOCORP.COM\test3

Is there any alternate or Is it possible to create the same using KTPASS ? If yes, can you please help me by changing this command to fit my setup ?

Hi,

I was restoring a deleted object from windows 2008 R2 DC. 

I have took the system state backup to remote share and was trying to restore deleted OU from the backup which is shared in remote path using windows server backup.Backup says successfully recoverd, but I can,t see the deleted object back in AD.

But I have used the same system state backup and tried restoring via ntdsutil and found object recoverd successfully.

Can anyone tell me why it is not properly getting restored when using windows server backup ?

I have to upgrade two W2K8 DCs, one of which seems to have pretty much all clients authenticating to it. There will be two other DCs in the site when I do this.

What is the likely effect? Will Exchange 2010 freak out if it happens to be bound to this server? I don't especially want to take it out of the domain just to do this RAM upgrade.

Tim

Tim Gowen

I've got a RWDC in my LAN, and a RODC setup in my DMZ. The DMZ has appropriate subnets and links and is replicating properly from the RWDC. When trying to join a computer in the DMZ to the domain via the RODC, I'm actually prompted with a username and password box, suggesting that the RODC is trying to authenticate. However, once proper credentials are supplied, I get an error saying the domain itself either doesn't exist or can't be contacted.

To confirm the nearest DC, its IP, and its assigned site, I've used:

Hi ,

My question is if my Domain Controller Hard Disk is faulty. i am going to change it. so what backup i need to take. 

1)Full DC Backup or 2)System backup

THanks

Riz

Windows 7 Pro 64 bit computer working normally or recently rebooted. User tries to logon and the access denied message displays. I try to logon with local admin account and get the same error. Sometimes rebooting the pc will allow you to logon correctly but we have had to boot into safe mode and choose "active directory repair" on several machines. This has happened on several windows 7 desktops and one 2008 r2 server running Terminal Services. We have about 80 user computers and so far 10 have had this issue over the last month.

Our 2 DC servers are Windows 2008 R2. I couldn't find any AD errors.

To "fix" the pc we had to:

1.Boot into Safe Mode with Command Prompt
2.At the DOS prompt (Cmd) window, type MSCONFIG and press Enter
3.When MSCONFIG opens click the "Boot Options" tab
4.Click the option for "Active Directory Repair"
5.Exit MSCONFIG, and reboot the PC
The PC will boot into Safe Mode regardless of what you choose (e.g. "Start Windows Normally")
You may need to reboot more than once for the repair to be completed, mine needed 2 times.

When a computer has the issue I cannot logon with the domain credentials or the local admin user credentials. Unplugging the network cable doesn't help. The only way to "fix" the issue is to boot into safe mode, login with local admin account and run msconfig, safe boot, active directory repair.

Does anyone know what Safeboot Active Directory repair does? I reboot into this mode and then I reboot again normally and the issue is resolved. If I knew what exactly happens when I boot into safe mode with active directory repair checked then maybe I can understand the problem more.

Hello,

I have ADCS deployment. One server is Enterprise CA, another one has Certification Authority Web Enrollment role installed. All servers are 2012 R2.

When I go to https://server2/certsrv/ and click "Download a CA certificate, certificate chain, or CRL" I got an error "An unexpected error has occurred: The Certification Authority Service has not been started."

Please advise.  

Note. I can successfully download it from server2. If I click to "Download a CA certificate ..." from other member server I get an error.

Slava Fedenko
MCSE | Blog | LinkedIn | Twitter

Hi,

We are currently having a problem with users passwords that have reached the renewal period and cannot be changed. They get an error message: “The security database on the server does not have a computer account for this workstation trust relationship.”

The computers used to change the passwords are all different and sometimes it works.

This leads met to believe that it’s not related to 1 specific computer but more a domain controller which is having the issue. So we tried to isolate the DC by changing the SRV record by way of LdapSrvPriority registry key. Some admins are now able to change their passwords but we are still having the problem with other admins, Citrix password reset and via RES.

There are several problems listed in DCdiag, I have noticed many SPN entries and a cleanup is planned. However the main issue I’m trying to solve is the password change one.

How can we troubleshoot this?

Is there a way to see which users are being authenticated on which server for ALL the users in AD?

I found PS this script but it accepts only 1 user:  https://gallery.technet.microsoft.com/scriptcenter/Get-Active-Directory-User-bbcdd771

Tried to modify it with get-content but failed.

The Idea was to verify which users login /authenticated on which server and let them try to change the password to see that when it works, which DC was used.

Any help/ideas would be appreciated.

Timotatty

Hello All,

We are using SAP based identity tool for creation and deletion of Active directory users. In Active directory we have recently promoted 2012 Domain Controllers. We have provided all the necessary rights to the tool for creating and deleting the users.

For the last 4 years that tool always uses 544 upon creation of id, with 2008 r2 sp1 Domain Controllers. But last few days the Ad ids are not able to disable via 546. Attached is the error seen in identity tool.

Apart from Domain controller change from 2008 r2 to 2012 r2, there was not a single change in AD? Is there any difference in user account control in 2008 r2 to 2012 r2?

Thanks HA

Here is 

Health Report and errors i recieve for DFS -

Please help. 

Inconsistent configuration detected (missing object).  

  Affected replicated folders: All replicated folders on this server. 
  Description: The DFS Replication service detected an inconsistent msDFSR-Connection object while polling domain controller server_name for configuration information. The object at CN=e6fac33b-b496-4a67-be5f-df00e7689d4b,CN=4cf2cc35-0a1a-4e0a-8ab2-3c7fabdf75bd,CN=Topology,CN=***.local\\files\\store31,CN=DFSR-GlobalSettings,CN=System,DC=***,DC=local references another object at CN=f9bcc74c-ed88-4e14-a545-98acd1fd424d\0ADEL:8e26da1d-fb7c-4aac-acd6-67fed321d3c9,CN=Deleted Objects,DC=***,DC=local that does not exist. Event ID: 6006 
  Last occurred: ‎9‎/‎8‎/‎2015 at ‎4‎:‎25‎:‎45‎ ‎PM (GMT-5:00) 
  Suggested action: The service will try polling again in 60 minutes. If the problem continues, The Microsoft Web Site.  



  WARNINGS (There are 2 warnings to report)



 This member is waiting for initial replication for replicated folder Common.  
  Affected replicated folders: Common 
  Description: This member is waiting for initial replication for replicated folder Common and is not currently participating in replication. This delay can occur because the member is waiting for the DFS Replication service to retrieve replication settings from Active Directory Domain Services. After the member detects that it is part of replication group, the member will begin initial replication.  
  Last occurred: ‎9‎/‎8‎/‎2015 at ‎4‎:‎26‎:‎51‎ ‎PM (GMT-5:00) 
  Suggested action: Replication will begin after initial replication is complete. If this state does not change, see The Microsoft Web Site.  


 Volume D: is low on disk space.  
  Affected replicated folders: Common 
  Description: Volume D: is low on disk space. If this volume becomes full, the DFS Replication service will stop replication on the volume.  
  Last occurred: ‎9‎/‎8‎/‎2015 at ‎4‎:‎26‎:‎53‎ ‎PM (GMT-5:00) 
  Suggested action: Increase available disk space on the specified volume or move the replicated folder to a different volume. See additional information about disk space under the informational section in the table titled "Current used and free disk space on volumes where replicated folders are stored.”  



  INFORMATIONAL



 Service state: Running 



 DFS Replication service uptime: 21 min.  


 DFS Replication service version: 6.1.7601.17514 


 Summary of replicated folder status 
  The following table provides a high-level overview of replicated folder status on this server. 


Replicated Folder Status # of Files Received DFS Replication Bandwidth Savings 
Common Waiting for initial replication 0 0.00% 

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = cr-ad-1
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\CR-AD-1
      Starting test: Connectivity
         ......................... CR-AD-1 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\CR-AD-1
      Starting test: Advertising
         Warning: DsGetDcName returned information for
         \\CR-DC-2.contoso.example, when we were trying to reach CR-AD-1.
         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
         ......................... CR-AD-1 failed test Advertising
      Starting test: FrsEvent
         ......................... CR-AD-1 passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... CR-AD-1 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... CR-AD-1 passed test SysVolCheck
      Starting test: KccEvent
         ......................... CR-AD-1 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... CR-AD-1 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... CR-AD-1 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... CR-AD-1 passed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\CR-AD-1\netlogon)
         [CR-AD-1] An net use or LsaPolicy operation failed with error 67,
         The network name cannot be found..
         ......................... CR-AD-1 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... CR-AD-1 passed test ObjectsReplicated
      Starting test: Replications
         ......................... CR-AD-1 passed test Replications
      Starting test: RidManager
         ......................... CR-AD-1 passed test RidManager
      Starting test: Services
         ......................... CR-AD-1 passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x00001796
            Time Generated: 09/08/2015   11:20:10
            Event String:
            Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 09/08/2015   11:55:32
            Event String:
            The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 09/08/2015   11:55:33
            Event String:
            The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
         A warning event occurred.  EventID: 0x000727A5
            Time Generated: 09/08/2015   11:56:07
            Event String:
            The WinRM service is not listening for WS-Management requests.
         A warning event occurred.  EventID: 0x00000090
            Time Generated: 09/08/2015   11:57:59
            Event String:
            The time service has stopped advertising as a good time source.
         A warning event occurred.  EventID: 0x00001796
            Time Generated: 09/08/2015   12:00:34
            Event String:
            Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
         ......................... CR-AD-1 failed test SystemLog
      Starting test: VerifyReferences
         ......................... CR-AD-1 passed test VerifyReferences


   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : cristorey
      Starting test: CheckSDRefDom
         ......................... cristorey passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... cristorey passed test CrossRefValidation

   Running enterprise tests on : contoso.example
      Starting test: LocatorCheck
         ......................... contoso.example passed test LocatorCheck
      Starting test: Intersite
         ......................... contoso.example passed test Intersite

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = CR-DC-2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\CR-DC-2
      Starting test: Connectivity
         ......................... CR-DC-2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\CR-DC-2
      Starting test: Advertising
         ......................... CR-DC-2 passed test Advertising
      Starting test: FrsEvent
         ......................... CR-DC-2 passed test FrsEvent
      Starting test: DFSREvent
         ......................... CR-DC-2 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... CR-DC-2 passed test SysVolCheck
      Starting test: KccEvent
         ......................... CR-DC-2 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... CR-DC-2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... CR-DC-2 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... CR-DC-2 passed test NCSecDesc
      Starting test: NetLogons
         ......................... CR-DC-2 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... CR-DC-2 passed test ObjectsReplicated
      Starting test: Replications
         ......................... CR-DC-2 passed test Replications
      Starting test: RidManager
         ......................... CR-DC-2 passed test RidManager
      Starting test: Services
         ......................... CR-DC-2 passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x00001696
            Time Generated: 09/08/2015   11:13:31
            Event String:
            Dynamic registration or deregistration of one or more DNS records failed with the following error:
         A warning event occurred.  EventID: 0x00000081
            Time Generated: 09/08/2015   11:13:31
            Event String:
            NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
         A warning event occurred.  EventID: 0x00000081
            Time Generated: 09/08/2015   11:13:33
            Event String:
            NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
         A warning event occurred.  EventID: 0x00000081
            Time Generated: 09/08/2015   11:16:10
            Event String:
            NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
         An error event occurred.  EventID: 0x0000168E
            Time Generated: 09/08/2015   11:16:11
            Event String:
            The dynamic registration of the DNS record 'contoso.example. 600 IN A 172.16.0.121' failed on the following DNS server:
         An error event occurred.  EventID: 0x0000168E
            Time Generated: 09/08/2015   11:16:11
            Event String:
            The dynamic registration of the DNS record 'gc._msdcs.contoso.example. 600 IN A 172.16.0.121' failed on the following DNS server:
         An error event occurred.  EventID: 0x0000168E
            Time Generated: 09/08/2015   11:16:11
            Event String:
            The dynamic registration of the DNS record 'ForestDnsZones.contoso.example. 600 IN A 172.16.0.121' failed on the following DNS server:
         An error event occurred.  EventID: 0x0000168E
            Time Generated: 09/08/2015   11:16:11
            Event String:
            The dynamic registration of the DNS record 'DomainDnsZones.contoso.example. 600 IN A 172.16.0.121' failed on the following DNS server:
         A warning event occurred.  EventID: 0x00000081
            Time Generated: 09/08/2015   11:16:11
            Event String:
            NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
         An error event occurred.  EventID: 0x00000457
            Time Generated: 09/08/2015   11:19:38
            Event String:
            Driver Brother PT-2730 required for printer Brother PT-2730 is unknown. Contact the administrator to install the driver before you log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 09/08/2015   11:19:39
            Event String:
            Driver Foxit Reader PDF Printer Driver required for printer Foxit Reader PDF Printer is unknown. Contact the administrator to install the driver before you log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 09/08/2015   11:19:39
            Event String:
            Driver Microsoft XPS Document Writer required for printer Microsoft XPS Document Writer is unknown. Contact the administrator to install the driver before you log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 09/08/2015   11:52:25
            Event String:
            Driver Brother PT-2730 required for printer Brother PT-2730 is unknown. Contact the administrator to install the driver before you log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 09/08/2015   11:52:27
            Event String:
            Driver Foxit Reader PDF Printer Driver required for printer Foxit Reader PDF Printer is unknown. Contact the administrator to install the driver before you log in again.
         An error event occurred.  EventID: 0x00000457
            Time Generated: 09/08/2015   11:52:27
            Event String:
            Driver Microsoft XPS Document Writer required for printer Microsoft XPS Document Writer is unknown. Contact the administrator to install the driver before you log in again.
         ......................... CR-DC-2 failed test SystemLog
      Starting test: VerifyReferences
         ......................... CR-DC-2 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : cristorey
      Starting test: CheckSDRefDom
         ......................... cristorey passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... cristorey passed test CrossRefValidation

   Running enterprise tests on : contoso.example
      Starting test: LocatorCheck
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         ......................... contoso.example failed test LocatorCheck
      Starting test: Intersite
         ......................... contoso.example passed test Intersite

HI,

WIndows  AD Client  machine is very slow. where should i check in Group Policy setting For this issue ?

thanks

Hi all I received continuous mail from my exchange server's email address administrator@domian.xx.xx

The contents of the email is

"The mail store[Mailbox-database-XX] size exceeds 85 GB(s), the time
interval of notification is 1 hr(s)" 

Any could provide some hints on these or solution might be appreciated.

Regards

----- bsl

Hi All,

I want to create an new active directory user account.

I am able to create accounts . but iam unable to create uid attribute while creating new user accounts.

Is there a way to create user account along with the uid attribute.

regards

Soma.

HI,I have more then 10 DC in My Different Site. I tool systemstatebackup  DC01 on sunday and it failed on tuestday. and resaon of fail hard disk crashed. Now i have connect new hard disk. and install windows server and promote DC. how can i restore backup. is it work only restore backup. ? or i needed to take full backup.

Thanks

Hello,

Does anyone knows if there is a version of ADMT which can be run on x64 machines?

On the Internet until now I found only the version for x32 bits.

Thanks in advance.

Kind regards,

RD