I configured ADFS and am having issues accessing the metadata xml file and can't seem to find an answer.

If I go to
https://localhost/federationmetadata/2007-06/federationmetadata.xml
It works perfectly from the local ADFS server

If I go to
https://<IP Address>/federationmetadata/2007-06/federationmetadata.xml
it gives me "This page can't be displayed  .... Turn on TLS1.0, TLS 1.1, and TLS 1.2 in Advanced settings ......". I get the same error if I use the internal server FQDN.

If I go to my external proxy address
https://fs.myexternaldomain.com/federationmetadata/2007-06/federationmetadata.xml
it gives me "502 - Web server received an invalid response while acting as a gateway or proxy server"

Any ideas what I'm doing wrong?

Hi 

I need to demote the last domain controller in a given child domain i.e. the child domain will be deleted/decommissioned with this.

However, I wonder to know if there is an option to roll back this, can someone guide on how to bring the deleted child domain back to life as it was before? Will there be any loss or ill effects of this? What are the pre-requisites to be able to roll back...etc.

Thanks in advance !!

Hi guys,

          I have installed AD in windows 2012 server. It only shows the computers which are newly joined computers in domain. But there's already lot of computers joined in domain. But it's not showing. I couldn't understand what's the problem. Do i need rejoin every computer in the workplace ? 

HI

In my environment there are two domain parent and child domain, eg abc.contoso.net   abc= child domain and contoso is parent domain. All the users details are in child domain abc, so all the computer are joined to abc.contoso.net.

Now i want to know what will happen or draw backs of joining the computers to abc alone and not full abc.contoso.net

Please advise

Aamir

NA

Hello All,

1)If we add a machine to a  domain , will it be added to active directory(Domain Controller) compters list automatically or do we need to add it manually.

2)Are the DNS records created automatically or we need to maually create and entry for that particular computer.

waiting for your replies , Thanks in advance!!

Paramesh KA

Okay, unjoined windows 10 machines will allow users with blank passwords to login by clicking "Sign in".  I need to get that same option once they're joined to a domain.  Currently, I see that sign in button for a split second before it's replaced with a password prompt.  This frightens and confuses my users.

For a while, about half the Win10 machines I had joined were allowing that 1-click sign in, but no more.  Not sure if that was due to an update, or if they weren't entirely joined to begin with (I think the latter).  

Anyone have ideas on how I can make it work?  I've thought about automatic logins, but it won't be long before I'll need the login screen to come up first again.

Ran DCDIAG/test:VerifyEnerpriseReferences on a few DCs and same problems reported.  Detailed below:

Starting test: VerifyEnterpriseReferences The following problems were found while verifying various important DN references. Note, that these problems can be reported because of latency in replication. So follow up to resolve the following problems, only if the same problem is reported on all DCs for a given domain or if the problem persists after replication has had reasonable time to replicate changes.

Repadmin not showing errors and other dcdiag results seem fine.

Checked adsiedit configuration and CN=LostAndFoundConfig has content but I wanted to ensure that it's safe to delete? I reckon objects are linked to an old DC. Nothing is listed in the Active Directory LostAndFound OU.

Any advice would be appreciated.  I just want to be sure that no problems will occur if these objects are removed?



Hi all,

Is there any relation between a FQDN that is used in a SPN and suffix routing that might be configured between two forests with the using the same 'domain' suffix as was used in the FQDN on the SPN ?

Forest trust between forestA.com and ForestB.com; ForestB.com wil get a suffix registered for company.com and suffix routing will be enabled. (new user are created in ForestB with the UPN suffix @company.com)

However in forestA.com there are eg. resources with constrained delegation via service-accounts that use a SPN like HTTP\server.company.com which exist for services (eg webserver) in ForestA only.

For all I know, that last SPN part will be like a FQDN, or is this involved in the suffix-routing as well ?

The whole Kerberos ticketing would be based on http/server.company.com@forestA.com and would therefore not be routed to ForestB.com ? Or am I missing something?

TIA

Hello.

I have a home lab with AD domain called tnx.cz. I have single DC called DC02 (Windows Server 2012). I needed to install new DC called DC03 (Windows Server 2012). I have done it many time, never run into trouble. This time everything went OK, but at the end the new DC03 was not sharing NETLOGON and SYSVOL. Replication worked according repadmin. DNS was working, the new server was serving clients OK. But when I shutdown the old DC02, the domain stopped working. Instead of network called tnx.cz computers showed Network 2 or something like this. I have removed the DC03 (moved FSMO back, done correct demotion, uninstalled od ADDS, DNS) and started again. Before I started adding new DC, I have walked through the DNS and checked every single record in whole tree. I have also ran BPA for ADDS and DNS before installing. No significant errors or warnings. (Not counting warnings that I have single DC, or that I should use localhost as the DNS server in tcpip settings on DC, but not the first.) I have used Windows Server 2012 R2 this time for the installation of new DC, but the result was the same.

Replications seem to be working.

Results of repadmin /showrepl from DC02:

C:\Users\Administrator.TNX>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
home\DC02
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 5a572dc6-2ed9-44c1-834f-70661d4c0d0a
DSA invocationID: bceb8b7d-f5e7-45ee-b5fd-f36b9c601d37

==== INBOUND NEIGHBORS ======================================

DC=tnx,DC=cz
    home\DC03 via RPC
        DSA object GUID: 2f0862c7-11ca-48b5-82a4-587b9b6bd982
        Last attempt @ 2013-12-03 09:56:52 was successful.

CN=Configuration,DC=tnx,DC=cz
    home\DC03 via RPC
        DSA object GUID: 2f0862c7-11ca-48b5-82a4-587b9b6bd982
        Last attempt @ 2013-12-03 09:56:52 was successful.

CN=Schema,CN=Configuration,DC=tnx,DC=cz
    home\DC03 via RPC
        DSA object GUID: 2f0862c7-11ca-48b5-82a4-587b9b6bd982
        Last attempt @ 2013-12-03 09:56:52 was successful.

DC=ForestDnsZones,DC=tnx,DC=cz
    home\DC03 via RPC
        DSA object GUID: 2f0862c7-11ca-48b5-82a4-587b9b6bd982
        Last attempt @ 2013-12-03 09:56:52 was successful.

DC=DomainDnsZones,DC=tnx,DC=cz
    home\DC03 via RPC
        DSA object GUID: 2f0862c7-11ca-48b5-82a4-587b9b6bd982
        Last attempt @ 2013-12-03 09:56:52 was successful.

Results of repadmin /showrepl from DC03:

C:\Users\Administrator.TNX>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
home\DC03
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 2f0862c7-11ca-48b5-82a4-587b9b6bd982
DSA invocationID: cb1960e2-9fed-45d5-8539-bad3bbca3981

==== INBOUND NEIGHBORS ======================================

DC=tnx,DC=cz
    home\DC02 via RPC
        DSA object GUID: 5a572dc6-2ed9-44c1-834f-70661d4c0d0a
        Last attempt @ 2013-12-03 10:25:56 was successful.

CN=Configuration,DC=tnx,DC=cz
    home\DC02 via RPC
        DSA object GUID: 5a572dc6-2ed9-44c1-834f-70661d4c0d0a
        Last attempt @ 2013-12-03 09:50:00 was successful.

CN=Schema,CN=Configuration,DC=tnx,DC=cz
    home\DC02 via RPC
        DSA object GUID: 5a572dc6-2ed9-44c1-834f-70661d4c0d0a
        Last attempt @ 2013-12-03 09:50:00 was successful.

DC=ForestDnsZones,DC=tnx,DC=cz
    home\DC02 via RPC
        DSA object GUID: 5a572dc6-2ed9-44c1-834f-70661d4c0d0a
        Last attempt @ 2013-12-03 09:50:00 was successful.

DC=DomainDnsZones,DC=tnx,DC=cz
    home\DC02 via RPC
        DSA object GUID: 5a572dc6-2ed9-44c1-834f-70661d4c0d0a
        Last attempt @ 2013-12-03 09:50:00 was successful.

But the DCDIAG shows errors.

DCDIAG from DC02:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = DC02

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: home\DC02

      Starting test: Connectivity

         ......................... DC02 passed test Connectivity



Doing primary tests

   
   Testing server: home\DC02

      Starting test: Advertising

         ......................... DC02 passed test Advertising

      Starting test: FrsEvent

         ......................... DC02 passed test FrsEvent

      Starting test: DFSREvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... DC02 failed test DFSREvent

      Starting test: SysVolCheck

         ......................... DC02 passed test SysVolCheck

      Starting test: KccEvent

         ......................... DC02 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... DC02 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... DC02 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... DC02 passed test NCSecDesc

      Starting test: NetLogons

         ......................... DC02 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... DC02 passed test ObjectsReplicated

      Starting test: Replications

         ......................... DC02 passed test Replications

      Starting test: RidManager

         ......................... DC02 passed test RidManager

      Starting test: Services

         ......................... DC02 passed test Services

      Starting test: SystemLog

         ......................... DC02 passed test SystemLog

      Starting test: VerifyReferences

         ......................... DC02 passed test VerifyReferences

   
   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : tnx

      Starting test: CheckSDRefDom

         ......................... tnx passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... tnx passed test CrossRefValidation

   
   Running enterprise tests on : tnx.cz

      Starting test: LocatorCheck

         ......................... tnx.cz passed test LocatorCheck

      Starting test: Intersite

         ......................... tnx.cz passed test Intersite

DCDIAG from DC03:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = dc03

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: home\DC03

      Starting test: Connectivity

         ......................... DC03 passed test Connectivity



Doing primary tests

   
   Testing server: home\DC03

      Starting test: Advertising

         Warning: DsGetDcName returned information for \\DC02.tnx.cz, when we

         were trying to reach DC03.

         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

         ......................... DC03 failed test Advertising

      Starting test: FrsEvent

         ......................... DC03 passed test FrsEvent

      Starting test: DFSREvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... DC03 failed test DFSREvent

      Starting test: SysVolCheck

         ......................... DC03 passed test SysVolCheck

      Starting test: KccEvent

         ......................... DC03 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... DC03 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... DC03 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... DC03 passed test NCSecDesc

      Starting test: NetLogons

         Unable to connect to the NETLOGON share! (\\DC03\netlogon)

         [DC03] An net use or LsaPolicy operation failed with error 67,

         The network name cannot be found..

         ......................... DC03 failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... DC03 passed test ObjectsReplicated

      Starting test: Replications

         ......................... DC03 passed test Replications

      Starting test: RidManager

         ......................... DC03 passed test RidManager

      Starting test: Services

            DFSR Service is stopped on [DC03]

         ......................... DC03 failed test Services

      Starting test: SystemLog

         ......................... DC03 passed test SystemLog

      Starting test: VerifyReferences

         ......................... DC03 passed test VerifyReferences

   
   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : tnx

      Starting test: CheckSDRefDom

         ......................... tnx passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... tnx passed test CrossRefValidation

   
   Running enterprise tests on : tnx.cz

      Starting test: LocatorCheck

         ......................... tnx.cz passed test LocatorCheck

      Starting test: Intersite

         ......................... tnx.cz passed test Intersite

There are some warnings and errors in logs, but they are quite confusing to me:

-----

There is an error on DC03 in DFS Replication log:

The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner DC02.tnx.cz. If the server was in the process of being promoted to a domain controller, the domain controller will not advertise and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the sync partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.
 
Additional Information:
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: 5C759754-F9F4-4EDA-B262-B2E86BF6487F
Replication Group Name: Domain System Volume
Replication Group ID: CB8E010A-2891-495E-B1D5-C8128B4EAA52
Member ID: FA76F872-92C5-454B-875B-CA1A1DF414FE
Read-Only: 0

-----

Later there is information in DFS Replication log saying:

The DFS Replication service successfully established an inbound connection with partner DC02 for replication group Domain System Volume.
 
Additional Information:
Connection Address Used: DC02.tnx.cz
Connection ID: CB8E010A-2891-495E-B1D5-C8128B4EAA52
Replication Group ID: 106FA20D-096B-4C4C-87C9-5F58355B7165

-----

DNS Server log on DC03 says:

The DNS server has finished the background loading and signing of zones. All zones are now available for DNS updates and zone transfers, as allowed by their individual zone configuration.

-----

On DC02:

Error in DFS Replication log:

The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 362 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected.
 
To resume replication of this folder, use the DFS Management snap-in to remove this server from the replication group, and then add it back to the group. This causes the server to perform an initial synchronization task, which replaces the stale data with fresh data from other members of the replication group.
 
Additional Information:
Error: 9061 (The replicated folder has been offline for too long.)
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: 5C759754-F9F4-4EDA-B262-B2E86BF6487F
Replication Group Name: Domain System Volume
Replication Group ID: 106FA20D-096B-4C4C-87C9-5F58355B7165
Member ID: 0FBB30B0-D9C5-401A-897E-2129D3230429

-----

Later information in the DFS Replication log:

The DFS Replication service has detected that at least one connection is configured for replication group Domain System Volume.
 
Additional Information:
Replication Group ID: 106FA20D-096B-4C4C-87C9-5F58355B7165
Member ID: 0FBB30B0-D9C5-401A-897E-2129D3230429

-----

There is an information in the log describing what should I do. "To resume replication of this folder, use the DFS Management snap-in to remove this server from the replication group, and then add it back to the group. This causes the server to perform an initial synchronization task, which replaces the stale data with fresh data from other members of the replication group. " But I do not have DNS management snapin in my DC for MMC. Should I install it to continue? Is the error relevant in this case? I just do not understand why it says it was disconnected from replication when it was the only DC in domain.

Can you advice, please?

Thank you

Best regards

Jan Kovar

honza@tnx.cz

Dear All,

I have given delegate control rights to one user for the domain joining. Now I want increase his quota from 10 computers to unlimited. but when I open Attribute editor and try to search MSDS-MachineAccountQuota. I can't be able find that for attribute there. How can we add that attribute

Hi all,

Usually when we install office 2016 on desktops its automatically log in to 365 accounts and mainly OneDrive feature.

The same thing dose not work on our 2012 R2 RDS with the same office 2016 professional plus.

Does someone knows why? 

How can i solve this matter? (we don't want the users to need to login manually)

Thanks in advance! 

Maybe I shouldn’t post my question here, but I cannot find any forum about Active Directory, domain, GC or Forest… ADFS is the closest topic.

My question:

When I promote a Domain Control to Global Catalog, get an event log in Event Viewer:

Promotion of this domain controller to a global catalog will be delayed for the following interval.

Interval (minutes):

5

This delay is necessary so that the required directory partitions can be prepared before the global catalog is advertised. In the registry, you can specify the number of seconds that the directory system agent will wait before promoting the local domain controller to a global catalog. For more information about the Global Catalog Delay Advertisement registry value, see the Resource Kit Distributed Systems Guide.

I hope to speed up the operation, so I read the document about “Global Catalog Delay Advertisement”.

https://technet.microsoft.com/en-us/library/cc737102%28v=ws.10%29.aspx

And document about “KCC and Topology Generation”

https://technet.microsoft.com/en-us/library/cc961781.aspx

But all of them not work for me. I have to wait 5 minutes.

Is there any way to speed up it? Any help will be greatly appreciated, thank you very much!

学习学习....

I've deployed a smartcard logon cert to an HID Crescendo C1150.  When I attempt to logon with the smartcard, I'm greeted with:

The system could not log you on.  The domain specified is not available. Please try again later

The machine is wired into a lab switch.  If I logon with username:password, I can verify that the workstation has network connectivity and can reach the domain controller.

Any insights would be appreciated. 

Hi Folks,

We have multidomian heirarcy with A_domain.com(forestroot) and B.A_domain.com(resource), C.A_domain.com(accounts) [25+ domain controllers in branch sites for accounts domain]

We have hub and spoke replication topology and it's somewhat messy. I would like to optimize. I would like to know if domain controllers in branch sites need to have replication link to forest root domain controllers. Ideally the Schema and DNS partitions will be replicated to all DC in the forests and the branch sites DC can have replication partners in hub site for the same domian i.e. C.A_domain.com DC in branch sites gets replication data from C.A_domain.com DC in hub site. The hub site DC for C.A_domain.com will have replication partner from A_domain.com(Forest) from the same hubsite. Do you see any issues removing replication link from branch sites to forest root and creating a replication link with another dc at hub site from the same domain.

Regards,

Nav

Regards, Navdeep

HI

we have Additional Domain controller where we have created one universal group by name ABC and added some members

but same is not replicating to other DC. this issue is happening for only one group other groups are working fine. Previously lingering object issue was there and we have removed it.

Kindly help me in exporting members of each distribution group from Active Directory with powershell commands.

I would like to export it as a csv file. Kindly guide me.

Thanks

Selva

Hi,

We have an OU in our AD Domain, the management of this OU is delegated to two individuals, i.e. User'A' and User'B'.

These two accounts have completed control on this OU and Sub OU's. Problem is User'A' cant unlock User'B' and vice versa.

User'A" and User'B' can unlock accounts,reset properties of others users in the OU but not each other.

Reg,

Darshan

Darshan