We are fairly new to active directory, and we are trying to create a disaster recovery plan for the DC we have hosted at Amazon Web Services.

In AWS, one of the common methods of backup is to take a 'snapshot' of the state of a virtual server.  This snapshot will include all data stored on its virtual disk drives.  Should the virtual server fail, a new virtual server can be spun up from a snapshot.

My concern is for the integrity of Active Directory in a disaster recovery scenario.  Suppose our AWS DC crashes due to some kind of hardware failure at AWS.  We can have a replacement DC spun up from our backup within minutes.  However, suppose our backup snapshot is 7 days old.  When we spin up the DC based on this backup, the DC will come up in the state it was 7 days previously.  Also suppose there have been considerable changes in our domain since that backup was made.  My question is, is ADDS on the restored AWS DC smart enough to 'catch up' on what it 'missed' without corrupting our AD?

If the answer to the above is no, what are some viable alternatives for disaster recovery?

Hi All

I need to copy group memberships  of from specific user to another user  with powershell? But we cant Quest or Any snap ins. How can we do?

 hi,

both of our primary and secondary domain controllers are crashed .  but i restored primary dc from a full server backup . still  not able to get it working . no backups of secondary dc . primary dc has dhcp role installed.

what are the steps should i follow.need a explained answer . thanks 

I am working with the following scenario - cross forest dual hop Kerberos authentication to SQL SSRS. 

There is a two-way forest trust between forests. User in Forest A is logging in to computer in Forest B.  From that computer, Forest A user is browsing to a web server (middle tier) which is delegated to impersonate this user to the back-end SQL reporting services machine. All resources are in Forest B.

What we are seeing is that Kerberos authentication work for users in Forest B, but not in Forest A. Wireshark shows this error:

KDC_ERR_S_PRINCIPAL_UNKNOWN

Looks like the domain in Forest A cannot determine the SPN records registered in Forest B and I cannot figure out if this is supported across forest trust in 2008 R2. Can someone kindly point me in the right direction?

Thank you.

I have the need to create a limited permissioned user that will just be able to browse the AD ldap.  This is what I have done so far:

Created a user - ldap.user

Created a group - no-priv

I removed "ldap.user" from the domain users group and made "no-priv" the primary and only group that ldap.user is a part of since Domain users usually has perms not necessary for this user.  I then ran ldp.exe to see is the user could bind and browse the ldap and it worked fine.  It's my understanding that only "list contents" perms are needed to browse ldap, so I did the following.

Using the security tab for the no-priv group I selected "Advanced" and then added "no-priv".  I then only selected List contents in the "Permission Entry for no-priv" popup window.  Applied the settings and I was still able to browse using LDP when binding as the ldap.user, which I expected.

As an additional test I highlighted the "no-priv" group in the Advanced Security settings window and selected Edit.  I then selected  Deny for everything and hit apply.  I then disconnected and reconnected as the ldap.user and was still able to browse the ldap as before, which I assumed would not work.  

I would have thought that the ldap.user which is a member and only a member of the highly restricted "no-priv" group would not have been able to browse ldap which everything Denied for the group.  I'm obviously missing a piece.  Can someone explain why this isn't working as I would expect? 

I just built a Functional Level 2008R2 AD Forest from the ground up with 2 domain controllers running Server 2012R2. After installation I verified that dcdiag was completely clean and verified DFS by creating a GPO which I confirmed was replicated to the SYSVOL on both DC's.

Today I went in to create another GPO and found that it would not replicate to one of the DCs.

Sure enough running a DFS Health report showed "waiting for initial replication"

DCDiag continues to show completely clean.

Repadmin /replsum continues to show no errors

Repadmin /syncall completes with no errors

I'm completely baffled as to either what happened or what to do. Restarting the DFS service completes with no errors or warnings whatsoever in the event log. Restarting all systems has no effect.

Any suggestions to resolve?

Hello,

i have domain controller and additional domain controller both now working , i have Also exchange 

the computer container & domain controller container  in DC is empty , all computers appear in ADC.

today i am try to search for (Microsoft Exchange System Objects)  did not find it on DC if find it ADC

NOTE: if create user in DC or in ADC it appear in both server.

please Advise me.

thanks

 hi ,

i have been asked to make a DR plan for our domain. we have two DCs and i am trying to make a baremetal restore of our primary dc (server 2008r2 enterprise) . all fsmo roles are reside on that server . what i did was ,

1. took a system state backup to d: drive using server backup utility

2. then a full server backup to remote share

3. restored baremetal image to a same hardware(but a new server with same size of disk) on a test network

4. after completion of my restore process i removed network cable and reboot to dsrm mode

5. issued directory restore password and issued  " wbadmin  start systemstaterecovery -backuptarget:d -authsysvol and process was completed without any errors

when i booted in to nomal mode after recovey  , i can not login to dc  giving my domain admin credentials . a lite blue scree appears hole time. i tried several reboots but still in the same state.

* i am not authorized to connect recovered dc to production lan ( promoting new server to dc )

*   can not keep another dc on DR site 

is there any  possible solutions in my case ?

Hi all,

Is there a way that I can disallow an IT support admin from joining to domain if the computer account does not follow organization naming convention?

One of my DC( Win 2012) , DNS seems to be corrupted as it is not showing SRV records for one DC.

Any option is there if  I can rebuild the DNS alone without demoting DC?

Hello, I am planning to V2V (as part of the datacentre migration) a Windows 2008 R2 domain controller (DC) to new datacentre. As it’s not best practice to convert/ clone domain controller, I am stopping all AD related services and doing the V2V conversion.  When V2V finishes, I power on target VM, connect the network and start the services. We have other live domain controllers in the network.

As I am stopping the AD services, I am assuming that server is down from AD point of view. Is it right assumption?

Do you see any issues? Appreciate your thoughts on this.

I can’t use cold clone. OVF method or parallel DC build and migrate roles for some other reasons. I have no access to source vCenter server.

Cheers!!

Hello

I run dcdiag on my DC and i found the below

how can i fix the below issues?

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = rrrMHDC01

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests


   Testing server: Default-First-Site-Name\rrrMHDC01

      Starting test: Connectivity

         ......................... rrrMHDC01 passed test Connectivity



Doing primary tests


   Testing server: Default-First-Site-Name\rrrMHDC01

      Starting test: Advertising

         ......................... rrrMHDC01 passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems. 
         ......................... rrrMHDC01 passed test FrsEvent

      Starting test: DFSREvent

         ......................... rrrMHDC01 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... rrrMHDC01 passed test SysVolCheck

      Starting test: KccEvent

         A warning event occurred.  EventID: 0x80000B47

            Time Generated: 12/02/2015   15:23:30

            Event String: 


         ......................... rrrMHDC01 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... rrrMHDC01 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... rrrMHDC01 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... rrrMHDC01 passed test NCSecDesc

      Starting test: NetLogons

         ......................... rrrMHDC01 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... rrrMHDC01 passed test ObjectsReplicated

      Starting test: Replications

         ......................... rrrMHDC01 passed test Replications

      Starting test: RidManager

         ......................... rrrMHDC01 passed test RidManager

      Starting test: Services

         ......................... rrrMHDC01 passed test Services

      Starting test: SystemLog

         An error event occurred.  EventID: 0x0000165B

            Time Generated: 12/02/2015   14:35:39

            Event String:

            The session setup from computer 'PLASMA-34' failed because the security database does not contain a trust account 'PLASMA-34$' referenced by the specified computer.  


         An error event occurred.  EventID: 0x0000165B

            Time Generated: 12/02/2015   14:41:31

            Event String:

            The session setup from computer 'NQ39' failed because the security database does not contain a trust account 'NQ39$' referenced by the specified computer.  


         An error event occurred.  EventID: 0x000016AD

            Time Generated: 12/02/2015   14:43:49

            Event String:

            The session setup from the computer NQ39 failed to authenticate. The following error occurred: 


         An error event occurred.  EventID: 0x000016AD

            Time Generated: 12/02/2015   15:11:01

            Event String:

            The session setup from the computer SD-TRAINING failed to authenticate. The following error occurred: 


         An error event occurred.  EventID: 0x0000165B

            Time Generated: 12/02/2015   15:18:56

            Event String:

            The session setup from computer 'BR43TR09' failed because the security database does not contain a trust account 'BR43TR09$' referenced by the specified computer.  


         An error event occurred.  EventID: 0x0000165B

            Time Generated: 12/02/2015   15:19:34

            Event String:

            The session setup from computer 'BEAMTESTING' failed because the security database does not contain a trust account 'BEAMTESTING$' referenced by the specified computer.  


         An error event occurred.  EventID: 0x0000165B

            Time Generated: 12/02/2015   15:20:16

            Event String:

            The session setup from computer 'PMS-HO' failed because the security database does not contain a trust account 'PMS-HO$' referenced by the specified computer.  


         An error event occurred.  EventID: 0x000016AD

            Time Generated: 12/02/2015   15:22:58

            Event String:

            The session setup from the computer BEAMTESTING failed to authenticate. The following error occurred: 


         An error event occurred.  EventID: 0x000016AD

            Time Generated: 12/02/2015   15:22:58

            Event String:

            The session setup from the computer PMS-HO failed to authenticate. The following error occurred: 


         An error event occurred.  EventID: 0x0000165B

            Time Generated: 12/02/2015   15:25:09

            Event String:

            The session setup from computer 'rrr-CCC-055' failed because the security database does not contain a trust account 'rrr-CCC-055$' referenced by the specified computer.  


         An error event occurred.  EventID: 0x000016AD

            Time Generated: 12/02/2015   15:27:12

            Event String:

            The session setup from the computer rrr-CCC-055 failed to authenticate. The following error occurred: 


         A warning event occurred.  EventID: 0x0000043D

            Time Generated: 12/02/2015   15:34:10

            Event String:

            Windows failed to apply the Internet Explorer Zonemapping settings. Internet Explorer Zonemapping settings might have its own log file. Please click on the "More information" link.

         ......................... rrrMHDC01 failed test SystemLog

      Starting test: VerifyReferences

         ......................... rrrMHDC01 passed test VerifyReferences



   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation


   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation


   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation


   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation


   Running partition tests on : boldaj

      Starting test: CheckSDRefDom

         ......................... boldaj passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... boldaj passed test CrossRefValidation


   Running enterprise tests on : boldaj.com.eg

      Starting test: LocatorCheck

         ......................... boldaj.com.eg passed test LocatorCheck

      Starting test: Intersite

         ......................... boldaj.com.eg passed test Intersite

MCP MCSA MCSE MCT MCTS CCNA

Hi,

I have 3 sites linked over a VPN tunnel.  In one of the remote site DC, I am getting the error "dsbindwithspnex() failed with error 1727" when I run DCDIAG.  Basically the remote site DC with the error cannot connect to the FSMO owner in the primary site.  The primary site tunnel device is Cyberoam and remote site tunnel device is TMG 2010 (Enforce strict RPC compliance is unchecked on TMG rule & System policy rule).  I only have this one DC in the remote site.  A quick search results in solutions such as system restore

Any ideas about how to fix the issue.

Regards

Mathew

Hello all,

Recently, when I tried to edit an existing GPO I recevie the following error

"Windows has detected that this policy was created by a more recent version of Windows"

I think one of our Sys Admin used  new version of Remote Admin tools on windows 8 to edit that GPO. 

is there any way to work around that error. 

BTW I did not backup the GPO.

Regards.

Hi All,

I got a peculiar problem that I cannot seem to understand. I suspect there must be something wrong with our domain configuration, as no Windows 10 machines (upgarded or clean install) is able to join (or re-join) the domain, or access any file shares on any servers. The error message is always the same:

System error 64 has occured.
The specified network name is no longer available

Checks that I've completed:

• Windows 7 on the same machine/network OK
• Windows 10 upgrade is not okay, Windows 10 clean install also unable to join the domain
• ip, DNS config, DNS suffix OK
• nslookup domain.local OK
• nslookup domain controllers OK
• ping domain OK
• ping domain controllers OK
• net use \\DC\Netlogon returns the same error
• gpupdate returns the same error (see below)
• No suspcious errors in the event log
• Raised domain functionality level to Windows Server 2008 R2 
• IPv6 enabled everywhere
• DFS is enabled on the DCs
• UNC hardening turned on/off (RequireMutualAuthentication=0, RequireIntegrity=0), didn't help

We have Windows SBS 2011 and a Windows 2008 R2 domain controllers. The servers are hosted with only IPv4 VPN communication enabled with site-to-site tunneling between the offices. However nothing changed in the network infrastructure since we tried upgrading Windows 7 computers.

The full GPUPDATE error message:

I found this thread to be quite useful and seemingly people are having the same problem, however it didn't resolve my issue:
https://community.spiceworks.com/topic/1119601-windows-10-group-policy-issue

Some people even hinted that it is a Win10 bug that wasn't yet solved in the Threshold 2 update.

Is there anyone out there who could help me? :)

Hi, I really hope that someone can help! I have been googling all known issues but between I lot of different answers and not completely understanding the issue, I havent been able to get anywhere. 

We have a small server running SBS 2011 and we have about 8 users and the occasional remote login. 

The server was initially for file storage but we recently had an IT company come in to set it all up with a domain etc. Since about then it has been turning off every week and my IT guy hasn't been much help. 

Through the event viewer, I tracked the error back to the Server Infrastructure Licensing folder where there are 8 errors that happen every 30 minutes. 2 of the errors have a count down to the server shut down. 

The error's listed below:

The Forest Trust Check in the Licensing component did not pass because error 0x80005000 occurred in function fe2 [WBAS].

An invalid directory pathname was passed

Make sure that each primary domain controller in your Active Directory forest can be contacted and the following services are running on it: Active Directory Domain Services (NTDS), DNS Server (DNS) and Kerberos Key Distribution Center (KDC). This server will be automatically shut down if the issue is not corrected.

The automatic correction of a noncompliant forest trust condition was not successful because error 0x80005000 occurred in function fe2 [CAJS].

An invalid directory pathname was passed

Make sure that your DNS server can be contacted and the following services are running: Active Directory Domain Services (NTDS), DNS Server (DNS), Kerberos Key Distribution Center (KDC). This server will be automatically shut down if the issue is not corrected.

The Forest Trust Check detected a condition in your environment that is out of compliance with the licensing policy. This server will be automatically shut down if the issue is not corrected in 0 day(s) 0 hour(s) 30 minute(s). Please look for additional events for Forest Trust Check to troubleshoot.

The FSMO Role Check in the Licensing component did not pass because error 0x80005000 occurred in function f1501 [OKLS].

An invalid directory pathname was passed

Make sure that your DNS server can be contacted and the following services are running: Active Directory Domain Services (NTDS), DNS Server (DNS), Kerberos Key Distribution Center (KDC).  This server will be automatically shut down if the issue is not corrected.

The automatic correction of a noncompliant FSMO role condition was not successful because error 0x80005000 occurred in function f1301 [BNBO].

An invalid directory pathname was passed

Make sure that your DNS server can be contacted and the following services are running: Active Directory Domain Services (NTDS), DNS Server (DNS), Kerberos Key Distribution Center (KDC). This server will be automatically shut down if the issue is not corrected.

The FSMO Role Check detected a condition in your environment that is out of compliance with the licensing policy. This server will be automatically shut down if the issue is not corrected in 0 day(s) 0 hour(s) 30 minute(s). Please look for additional events for FSMO Role Check to troubleshoot.

Root domain check did not pass because error 0x80005000 occurred in function f1981 [SZYY].

An invalid directory pathname was passed

Make sure that the domain that this computer is joined is reachable. This server will automatically shut down if the issue cannot be corrected.

The Root Domain Check detected a condition in your environment that is out of compliance with the licensing policy. This server will be automatically shut down if the issue is not corrected in 0 day(s) 0 hour(s) 30 minute(s). Please look for additional events for Root Domain Check to troubleshoot.

I have tried a lot of solutions and checks but so far no luck.

Does anyone have any ideas? Need me to post any information from any other query/test?

Please keep in mind that I'm learning this as I go!

Hi,

I am trying to configure a third party service to do an LDAP query to our AD to authenticate users. I am able to authenticate to AD and can do a query using the account cn=administrator,cn=Users,DC=domain,DC=com but I cannot authenticate via LDAP with any other user account. Because this service is hosted outside I don't want to use the administrator account. I cannot find any mention of restrictions for LDAP authentication so I am not sure where I am going wrong.

thanks

Keith

I would like to configure the my mailbox office365 on outlook 2010 , but the connect Anywhere option is grayed out in my system and this needs to be enabled to configure my office365 mailbox.

I have followed the instruction in Article ID: 2426686 but still the option is grayed out. Please let me know how to enable the grayed out option.

I have already posted this question in office365 community and i have been referred to this community. Please help to resolve the issue.

Hi all,

I've come into a new environment with 4 Domain Controllers (Server 2012) in the same site and domain across 2 Data Centers and require as little help in determining if their setup is correct.

In AD Sites and Services > %site% > Servers I have the below:

DC1 (Data Center 1)

 - NTDS Settings = DC2 and DC3

DC2 (Data Center 2)

 - NTDS Settings = DC1 and DC4

DC3 (Data Center 1)

 - NTDS Settings = DC1 and DC4

DC4 (Data Center 2)

 - NTDS Settings = DC2 and DC3

and my question is, Shouldn't each DC have all three of the other DC's listed in the NTDS Settings for correct replication?

IP Addresses of the DCs/DNS Servers are (*Not actually using 192, but just used as example):

DC1 = 192.168.1.25

DC2 = 192.168.1.26

DC3 = 192.168.1.32

DC4 = 192.168.1.33

IN DNS I have:

DC1  (Data Center 1)

 - 192.168.1.26

 - 192.168.1.25

 - 127.0.0.1

DC2 (Data Center 2)

 - 192.168.1.25

 - 192.168.1.26

 - 127.0.0.1

DC3 (Data Center 1)

 - 192.168.1.25

 - 192.168.1.26

DC4 (Data Center 2)

 - 192.168.1.25

 - 192.168.1.26

 - 127.0.0.1

and my question is, Shouldn't  all DCs/DNS Servers IPs be listed on each other, so DC1 should have the IP for DC2, DC3 and DC4? Each DC should either have its own IP or the loopback address, not both? I've read that there are a lot of different ideas on which DC/DNS Server should be listed first and second but there is no consensus. 

Thanks for any help, advice, links that can be given to help this as having some issues with Group Policy replication, etc.