Hello,

my client is during merge and has configuration:
AD Forest A ( local ) with local users ( not migrated yet )
AD Forest B ( remote ) with local computers ( every PC was installed from scratch from image and belongs to Forest B )

There is a two-way trust between Forest A and Forest B ( checked  and is OK ).

Forest A and Domain A ( only one domain ) are on level 2003.
There are two DCs:
DC1 with Windows 2003 SP2 English
DC2 with Windows 2008 R2 SP1 Polish.

User ( from A ) can login on a computer ( from B ) and when logon request is processed by:
DC1: everything is OK: Outlook is connected to local Exchange 2003, drives to local resource are mapped etc.
DC2: access to local resource is denied: Outlook is offline, drive are not mapped etc.

[ I can check logon server by "set logon" command in command prompt. ]

This situation occurred a few days ago; previously everything worked OK.
Recently both controllers were updated by Windows Update.

I' haven't seen nothing special in event logs on DC1 / DC2 or on local computers [ I have no access to B ];
perhaps I've missed something.

Today to mitigate problem,  I've raised priority of DC2 in DNS SRV records according with:
https://technet.microsoft.com/en-us/library/cc787370%28v=ws.10%29.aspx

"changing the priority causes DNS to stop referring all clients to this domain controller unless all domain controllers with a lower priority setting are unavailable."

What is wrong ?

best regards
Janusz Such

History:  I migrated a 2003 domain to 2012 R2 (2 DCs), now native.  All was ok until my 1st reboot of the 2nd DC.  It lost its ability to communicate w/the domain.  I've demoted/removed it and am now on 1 DC until I can do some more testing.  DNS is now clean and dcdiag give a clean bill.  This has been running without issues for several weeks.

This AM I get a call and users cannot log into the terminal server.  I reboot it, but the problem persists.  I then try to log onto the DC.  I get a login error, the DC doesn't recognize administrator or the regular domain admin account I typically use.  I'm forced to do a power button shutdown and restart.  After restart I can log in and everything appears to be good.

A review of the event logs show that @ 4:30PM yesterday the scheduled backup (Win Backup) occurred successfully.  Then shortly after 5PM the system logs event 5823 (NETLOGON  The system successfully changed its password on the domain controller .  This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password. ). 

The nothing until ~ 2 1/2 hours later I start getting a bunch of event 4 (kerberos KRB_AP_ERR_MODIFIED)  and 1006 (Group Policy processing failed) errors every couple minutes until I reboot.

Can anyone shed some light on what possibly happened?  Did the automatic change of the system password break AD because I only have 1 DC?

What function if any does the email address field in the general tab  in a user AD object have?

thanks

Pat

I've tried following the instructions found here: https://support.microsoft.com/en-us/kb/288167, but still cannot get a domain controller at my remote site to replicate.  The connection is good, the server is reachable, but the last replication was 21 days ago.

This is my current repadmin /replsummary:

Hey all,

   I have a server listed in my AD S&S that was created within VMWare years ago that no longer exists. As I cannot decommision it, how do I go about deleting it from AD S&S? There are numerous entries in the Directory Service Event log to include:

Event Category: Knowledge Consistency Checker
Event ID: 1925
Description:
The attempt to establish a replication link for the following writable directory partition failed. 
 
 
This domain controller will be unable to replicate with the source domain controller until this problem is corrected.  
 
Additional Data
Error value:
1722 The RPC server is unavailable.

Any guidance here would be greatly appreciated. Thank you.

Not sure if this is the correct forum... Is it better to try and upgrade from my 2003 Active Directory to a 2012 Active Directory or just create a new Zone/Forrest. Very small network 25 users, 1 web-server, 1 database-server, 1 Exchange Server, 2 File and 1 printer servers. All hardwareis Dell, servers, client machines and laptops, if that matters.

Thanks

Grajek

Hi

We have Active Directory setup in our enterprise environment. Domain/Forest functional level for AD is Windows Server 2003. AD is setup in Windows Server 2008.

Currently our domain controller time is differed by 3 minutes from our country standard time (NST). 

In order to fix this we plan to integrate our domain controller to our NTP server to resolve this time delay issue.

We have several AD integrated enterprise solutions (Eg. Exchange,Lync,SCCM,DPM) deployed in our environment.

Kindly let me know what precautions/planning I need to do from my side before performing the integration.

Thanks

Avinash 

Friends:

My AD DS is throwing an error reading "An attempt to fetch the password of a group managed service account failed."  The name of the service account is msa; the computer that it references is my domain controller.  And it is reporting error 6, whatever that means.

Does anyone know what this is and how to fix it?

Micah

Hi all,

We're updating the .admx and .adml files within our PolicyDefinitions folder in SYSVOL for Windows Server 2012R2 and Windows 10. What we've noticed is that whilst new .admx / .adml files replicate around our DC's (we have 4 in total on the same site but in different vLANs) pretty quickly, existing .admx / .adml files don't replicate around the change in the date modified value, suggesting that they haven't replicated.

For example on the DC where we have copied the .admx files to, the AddRemovePrograms.admx file has been updated to 25/11/2013 07:25 but the remaining DC's all have a time stamp of 10/06/2009 22:34. Replicating new files seems OK, so is there a setting for updating modified files at all? Also, short of copying the updated files into the PolicyDefintions folder of each DC individually is there another way of bringing all the files (including the date modified timestamps) into line and ultimately, does this even matter (ie, is there any difference in say the AddRemovePrograms.admx file from 2009 to 2013?).

Many thanks

Hi,

A fellow states that the "Service Communications Certificate" cannot be a wildcard certificate.

However, when I look at the current certificate used by our ADFS Server, it is a indeed a wildcard certificate.

Is there anything I have missed out ?

Thanks

Get-ADDomainController reports and old server that we want to retire

How do I change the reported hostname and IP address of an old server that we want to demote and retire

when I shut down the old server. I am unable to log into any AD or exchange info

yes, all the FSMO roles have been moved over to the new Server. when I run netdom query fsmo everything looks great.

yes, the new DNS server is a global catalog.

here is what the Get-ADDomainController reports

ComputerObjectDN           : CN=SERVER1,OU=Domain Controllers,DC=domain,DC=local
DefaultPartition           : DC=domain,DC=local
Domain                     : domain.local
Enabled                    : True
Forest                     : domain.local
HostName                   : Server1.domain.local
InvocationId               : dac797ec-????
IPv4Address                : 10.10.10.3
IPv6Address                :
IsGlobalCatalog            : True
IsReadOnly                 : False
LdapPort                   : 389
Name                       : SERVER1

SERVER1 is the old

I am thinking Command would be

Set-ADDomain -server newserver.domain.local

but that gives me an error

  + CategoryInfo          : InvalidArgument: (:) [Set-ADDomain], ParameterBindingException
  + FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.ActiveDirectory.Management.Commands.SetADDomain

thanks for your time and your help

Mike

 Hi All,

   There is any way to unlock the user account automatically in AD ,using some code words or security questions ?We are getting many tickets for unlockinguser accounts .Or any other option .Please share your suggestions .Thanks!

Hello,

We recently upgraded our Active Directory infrastructure from 2008 to 2012 R2. We performed all of the migration procedures and now have two 2012 R2 fully-replicating domain controllers. The only item left on the to-do list is to raise the functional level of the Domain and Forest to 2012 R2.

Prior to migrating to 2012 R2 we upgraded both the Domain and Forest to 2008 which was the highest OS we had at the time. Now that we're fully-migrated to 2012 I'm not able to raise the functional level on either the Domain or Forest past 2008 R2. When I go into the Domain or Forest Functional Level wizards it says that I'm on the highest functional level available.

The only thought I have at this point is that we didn't run ADPREP prior to migrating. This omission was done deliberately because of countless articles stating it wasn't necessary. Now I'm beginning to wonder if we needed to run ADPREP after all.

Question for forum: Can anyone explain why we can't raise the functional level of our Domain and Forest past 2008 R2 and does anyone think running ADPREP could resolve the issue?

Thanks in advance.

Hi,

We are getting time skew alert. I have checked the below. This is on a PDC.

There is no kernel general event for last 7 days.

w32tm /resync /rediscover is working perfectly fine.

w32tm /stripchart /computer:<ntp server name> /samples:3 /dataonly
Tracking ######.com [#####:123].
Collecting 3 samples.
The current time is 12/29/2015 1:49:54 PM.
13:49:54, -00.0014021s
13:49:56, -00.0046351s
13:49:58, -00.0051172s

w32tm /query /status 
Leap Indicator: 0(no warning)
Stratum: 4 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0721893s
Root Dispersion: 0.0972451s
ReferenceId: 0x0A831AFA (source IP:  10.131.26.250)
Last Successful Sync Time: 12/29/2015 4:05:53 PM
Source: #####.com,0x8
Poll Interval: 10 (1024s)

So I have enabled w32time debug logging. Please find a portion of the log below.

151572 17:01:26.0769480s - ListeningThread -- response heard from 10.60.4.64:123 <- 172.18.16.33:123
151572 17:01:26.0769480s - TransmitResponse: sent 0.0.0.0:123(172.18.16.33:123)->10.60.4.64:123
151572 17:01:26.5604798s - ListeningThread -- DataAvailEvent set for socket 1 (0.0.0.0:123)
151572 17:01:26.5604798s - ListeningThread -- response heard from 172.18.17.161:123 <- 172.18.16.33:123
151572 17:01:26.5604798s - Computing server digest: OLD:FALSE, RID:00243C9B
151572 17:01:26.5760776s - TransmitResponse: sent 0.0.0.0:123(172.18.16.33:123)->172.18.17.161:123
ckDispln Discipline: *SKEW*TIME* - PhCRR:2 CR:156001 PhCR:2 UI:100 phcT:65 KPhO:2029

Not able to understand the debug log. What is PhCRR,PhCR,phcT,KPhO. Please let me know what should I look in the w32time debug log.

 Thanks,

Arindam

This may involve two different forms, but here it goes. We have a newly installed Windows Server 2012 R2 Standard with Active directory, DNS and DHCP. In addition we have several newly installed Windows 10 workstations. The workstations have local user accounts (not Microsoft accounts) like Blah1, Blah2, Blah3 etc. and the local administrator account. We do all of our setup, app loading and configuration as the local administrator. Prior to bringing the workstations into the domain we log in to the workstation as Blah1, which is an administrator level account, and copy the actual Administrator Profile to the Default profile so that every new user starts with the same basic desktop at first login. Once the Default profile is set we log back in as the local administrator of the workstation and then join the domain. All good at this point. I can now log in as a domain user (XXXX23.domain.xxx) for that workstation and I get the administrator desktop and settings and the group policy is pushed from the server. That user can then customize the desktop however they wish. Still all good.

The problem is that, unlike previous OS's, with Windows 10, once we join that PC to the domain all of the local users for that PC disappear. So If I now try to login locally as "workstation name\ local user1" that user no longer exists. Even If I remove that PC from the domain, none of the local users I created prior to joining the domain are there anymore, not even the Blah1 administrator level user I logged in as to copy the administrator profile just prior to joining the domain. Only the local PC Administrator user is present. In Windows 8 and prior there were the local users, and the domain users. The local users would be maintained in the Control Panel\User accounts regardless of what server active directory I was connecting to. In Windows 10 all the pre-domain local users are lost. 

Is there a setting I am missing to retain this information?

Hi,

I want to change domain name ..My current domain 4cdrug.com(FQDN:srv1.4cdrug.com).i want to change as 4c.com.

Please guide to rename domain name.

Regards,

Ramaiah C

In a development environment at the moment. Setup an application called Tableau to use SAML authentication.

From a desktop, the configuration is active and functional. IE will use integrated authentication, Firefox and Chrome will use the ADFS3 form authentication and logon the user into the application.

On the iPad, however, the logon to the ADFS3 form throws the below error.

Encountered error during federation passive request.

Additional Data

Protocol Name:

Relying Party:

Exception details:

Microsoft.IdentityServer.Web.CookieManagers.InvalidSamlContextException: MSIS7046: The SAML protocol parameter 'RelayState' was not found or not valid. If the context was stored in cookies, the cookies that were presented by the client were not valid. Ensure that the client browser is configured to accept cookies from this website and retry this request.

   at Microsoft.IdentityServer.Web.CookieManagers.EncodedContext.InitializeSamlProtocolContext(Uri baseUrl, String encodedValue)

   at Microsoft.IdentityServer.Web.CookieManagers.EncodedContext..ctor(String encodedValue, Boolean samlEnabled, Boolean wsFederationEnabled)

   at Microsoft.IdentityServer.Web.CookieManagers.RequestCookieManager.Load(Boolean samlEnabled, Boolean wsFederationEnabled, WrappedHttpListenerRequest context)

   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)

   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)

   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)

   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

I'm a little concerned because we are about to configure users to use Office 365 with ADFS SSO as well. Will this be a problem there too?

Thanks,

Doug

Windows 7 Pro 64 bit computer working normally or recently rebooted. User tries to logon and the access denied message displays. I try to logon with local admin account and get the same error. Sometimes rebooting the pc will allow you to logon correctly but we have had to boot into safe mode and choose "active directory repair" on several machines. This has happened on several windows 7 desktops and one 2008 r2 server running Terminal Services. We have about 80 user computers and so far 10 have had this issue over the last month.

Our 2 DC servers are Windows 2008 R2. I couldn't find any AD errors.

To "fix" the pc we had to:

1.Boot into Safe Mode with Command Prompt
2.At the DOS prompt (Cmd) window, type MSCONFIG and press Enter
3.When MSCONFIG opens click the "Boot Options" tab
4.Click the option for "Active Directory Repair"
5.Exit MSCONFIG, and reboot the PC
The PC will boot into Safe Mode regardless of what you choose (e.g. "Start Windows Normally")
You may need to reboot more than once for the repair to be completed, mine needed 2 times.

When a computer has the issue I cannot logon with the domain credentials or the local admin user credentials. Unplugging the network cable doesn't help. The only way to "fix" the issue is to boot into safe mode, login with local admin account and run msconfig, safe boot, active directory repair.

Does anyone know what Safeboot Active Directory repair does? I reboot into this mode and then I reboot again normally and the issue is resolved. If I knew what exactly happens when I boot into safe mode with active directory repair checked then maybe I can understand the problem more.

In my forest, I have a 2 way transitive trust with another forest.  The trust is set to allow forest-wide authentication. We have an RODC in the data center where the remote forest is located.  In the System event log on the RODC, I see frequent instances of Event ID 5723, followed a few minutes later by event ID 5805, both from netlogon. The Events read as follows:

Log Name:      System
Source:        NETLOGON
Date:          12/27/2015 6:11:33 AM
Event ID:      5723
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      RODC.mydomain.com
Description:
The session setup from computer 'OtherDC1' failed because the security database does not contain a trust account 'OtherDomain.Internal.' referenced by the specified computer.

USER ACTION
If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time.  If this is a Read-Only Domain Controller and 'OtherDomain.Internal.' is a legitimate machine account for the computer 'OtherDC1' then 'OtherDC1' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller  capable of servicing the request (for example a writable domain controller).  Otherwise, the following steps may be taken to resolve this problem:

If 'OtherDomain.Internal.' is a legitimate machine account for the computer 'OtherDC1', then 'OtherDC1' should be rejoined to the domain.

If 'OtherDomain.Internal.' is a legitimate interdomain trust account, then the trust should be recreated.

Otherwise, assuming that 'OtherDomain.Internal.' is not a legitimate account, the following action should be taken on 'OtherDC1':

If 'OtherDC1' is a Domain Controller, then the trust associated with 'OtherDomain.Internal.' should be deleted.

If 'OtherDC1' is not a Domain Controller, it should be disjoined from the domain.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="NETLOGON" /><EventID Qualifiers="0">5723</EventID><Level>2</Level><Task>0</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime="2015-12-27T12:11:33.000000000Z" /><EventRecordID>116817</EventRecordID><Channel>System</Channel><Computer>RODC.mydomain.com</Computer><Security /></System><EventData><Data>OtherDC1</Data><Data>OtherDomain.Internal.</Data><Binary>8B0100C0</Binary></EventData></Event>

Log Name:      System
Source:        NETLOGON
Date:          12/27/2015 6:21:01 AM
Event ID:      5805
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      RODC.mydomain.com
Description:
The session setup from the computer OtherDC1 failed to authenticate. The following error occurred:
Access is denied.
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="NETLOGON" /><EventID Qualifiers="0">5805</EventID><Level>2</Level><Task>0</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime="2015-12-27T12:21:01.000000000Z" /><EventRecordID>116819</EventRecordID><Channel>System</Channel><Computer>RODC.mydomain.com</Computer><Security /></System><EventData><Data>OtherDC1</Data><Data>%%5</Data><Binary>220000C0</Binary></EventData></Event>

These events appear several times a day, at intervals anywhere from about 1-5 hours apart.  

Based on the text in event 5723, I added OtherDC1.OtherDomain.Internal to the "Allowed RODC Password Replication Group" in mydomain, but this did not make a difference. 

What would cause this and how can I resolve the issue?