This is the overview of the situation.  I just took over AD in an environment that is a 24/7 production environment with little to no ability to be taken down.  The previous administrators did a lot of really poorly thought out band-aiding of issues and now I am trying to fix it while not bringing the environment down and allowing us the ability to test the effects before making any major changes.

The first issue on the agenda is that for some reason someone put the Domain Users group into the Builtin\Administrators group which allows all users unadulterated access to servers and who knows what else.  Not knowing for certain what will happen when I take the Domain Users out of Builtin\Administrators I wanted to hedge my bets by creating a new group (All Users) and having the same members in it as in Domain Users.  The plan was to put the All Users group into the Builtin\Administrators group, allow it to trickle down, and then remove Domain Users, hopefully allowing everyone to maintain the same rights while allowing new users (especially for testing) to have the proper rights and allowing us to confirm what needs to be done before fully removing the admin rights for everyone.

The major problem.  When I add the All Users to the Builtin\Administrators group the next morning the Builtin\Administrators group is reset and All Users is no longer there.  As it is best case scenario is that if I added the All Users in and took the Domain Users out tomorrow it would be as if nothing had happened, worst case is that All Users is removed and Domain Users isn't restored leaving us with a completely untested environment.

What has been done and found so far.  While looking for the why this is happening I found out more about the AdminSDHolder and the various processes around it.  I have confirmed that for the SDProp process it is not set off of the default time so every hour it should run, however the issue is that I've watched the group over the course of about 6 hours and All Users stayed where it was put the entire time.  I however do not know if the runProtectAdminsGroupTask runs at the same hour interval (In which case something else is making the chage) or if it is run once a day (In which case it may be the cause for this issue).  I have made changes to the dsHeuristics setting to set it to f where it maximizes what is excluded and I have used ADSIedit to go into the attributes for Builtin\Administrators to set adminCount to 0. When I go into LDP and connect to the server to kick off the fixupInheritance or the runProtectAdminsGroupTask I get the same error.

ldap_modify_s(ld, '(null)',[0] attrs);
Error: Modify: Unwilling To Perform. <53>
Server error: 00000057: LdapErr: DSID-0C0422CE, comment: Error in attribute conversion operation, data 0, v23f0
Error 0x57 The parameter is incorrect.

I have confirmed I do have the correct rights to run the command.

Another issue I have found which is likely very much related and may be an contributing factor is that utilizing a tool called LIZA I have run a search on everything with blocked inheritance and found that because of the groupings and such every single user in the environment has inheritance blocked and is likely "protected" with AdminSDHolder.

So in the end the simple act of adding the All Users group to the Builtin\Administrators group is running into walls and I was hoping someone could show me how to get around them.  Trying to Audit the changes on the Builtin\Administrators group failed because since the group is reset all of the audit settings are reset too with no events being logged.  Errors prevent me from kicking of suspected processes causing the issue for me to be able to confirm if my solutions are working, forcing me to way at least a day inbetween potential fixes.  And all the while even a brand new and clean user can log into any of our servers and cause havoc. I am need of help please.

Edit:  I was able to find the issue with trying to manually kick off the AdminSDHolder check.  I'm unsure it worked but I am making progress in this quest to undo the mistakes of admins past.

Some users are getting temp profile and generating even log:

Windows cannot find the local profile and is logging you on with a temporary profile.
Changes you make to this profile will be lost when you log off.

As per the below article:

https://support.microsoft.com/en-in/kb/947242

.bak registry key is created for some users. Tried deleting for one user and it solved the issue.

However it keeps on happening for different users. How to solve this problem for all users and why does this issue happen?

Hi ,

in one of my DC Location, users are trying to change their password by CLT+ALT+DEL, they are getting below message. earlier it was working fine.

The security database on the server does not have a computer account for the workstation trust relationship.

i rejoined the machine but it did not worked for me.

Balwan Singh

Hi everyone.

i have got a problem with AD authentication looking forward to resolve.

In my org every client computer have to join domain and users do not permit logon to other computers so on AD server i set logon to for every account (email) with specify computer name.

The problems:

Email can not logon to email using Ms Outlook.

Email can not authenticate via web service (Client-Web Service - AD Server).

 [WebMethod]
        [ScriptMethod(UseHttpGet = true)]
        public string isLDapAuthenticated(string user, string pass)
        {
            string AdServer = "bidvbank.bidv.com";
            string useraccount = user.Trim()+"@bidvbank.bidv.com";
            var pcpContext = new PrincipalContext(ContextType.Domain, AdServer, user, pass);
            return AdAuthenticate(pcpContext, useraccount);

        }
        private static string AdAuthenticate(PrincipalContext pcpContext, string uAccount)
        {
            var userFound = false;
            string ex = "";
            UserPrincipal user = null;
            try
            {
                user = UserPrincipal.FindByIdentity(pcpContext, IdentityType.UserPrincipalName, uAccount);

            }
            catch (Exception ex1)
            {
                ex = ex1.Message.ToString();
            }
            userFound = (user != null);
            if (userFound)
                return "<value>Authenticated</value>";
            else
                return "<value>" + ex + "</value>";
        }

What can i do to resolve the problems? Cause of AD Setting or C# Code.

Thanks for your time.

Hello Experts,

We have 4 sites on which we have local domain controllers , yesterday on one site the link broken and head office & branch site disconnected so as link goes down the connectivity between local domain controller stopped with other domain controllers.

But unfortunately user at branch site are not able to login/ authenticate  via thier domain id and below error comes

The password is incorrect. Try again."

Although AD Admin account not able to login on branch local domain and password error comes.

How can i troubleshoot this issue.

Hi,

When users of domain controller are trying to change password below error occurs although all required policy based password provided.

-------------------------------------------------------------------------------------------------------------------------------------------------

Change a password

Unable to update the password.The Value provided for the new password does not meet the length,complexity,or history requirements of the domain.

-----------------------------------------------------------------------------------------------------------------------------------------------------

Windows 2008 R2 sp1

the NFS client is a Windows Server 2008 R2. the NFS server is a SAN storage that supports NFS and we have enabled the NFS service and shared a folder. when i map a drive to the NFS share, it would map alright but i get a big red X on the mapped drive. i can copy, created on the mapped NFS share too.

however, i keep getting event error id 16397 initially and now getting 16398 and 16399.

  Windows(R) Lightweight Directory Access Protocol (LDAP) failed a request to connect to Active Directory Domain Services(R) for Windows user <ACME\bunny>.

  Without the corresponding UNIX identity of the Windows user, the user cannot access Network File System (NFS) shared resources.

  Verify that the Windows user is in Active Directory Domain Services and has access permissions.

I meant to only install management tools for Active Directory but Server Manager keeps prompting to promote the Server. 

Found the answer on this forum:

1 first install ADDS modüle on server,

2 import-module ADDSDeployment

3 then run uninstall-WindowsFeature AD-Domain-Services

School boy error and I made matters spectacularly worse as I installed ADDS modüle using a local account in error.

When I now run 'import-module ADDSDeployment' though Powershell grumbles it's unable to find the cmdlet. Powershell confirms ADDS is installed .  How do I get Poweshell to find the cmdlet? 

AD on Win 2012 R2

I'm working in an isolated sandbox with a test AD server and a Win 7 workstation running Office 2013. I am new to AD and LDAP, but quite proficient in VB and VBA (and C# for that matter).

The automation error I get might have to do with an invalid LDAP reference. That's all I could dig up.
automation error -2147463155 8000500d

The overall objective is to update Active Directory fields using rows of user data in an Excel spreadsheet and VBA. I loop through each Excel Row and get the email address, and then I do a query through ADODB to get the ADsPath of a user with an AD query using email address which is unique:

Set conn = new ADODB.Connection
conn.Provider = "ADsDSOObject"
conn.Open "Active Directory Provider"
Set cmd = New ADODB.Command
Set cmd.ActiveConnection = conn
cmd.Properties("Page Size") = 1000
cmd.Properties("Timeout") = 30
cmd.Properties("Cache Results") = False
cmd.Properties("Chase Referrals") = &H20 Or &H40
cmd.CommandText = "LDAP://DC=mydc1, DC=mydc2,>;(&(objectCategory=person) (objectClass=user) (mail=" & srcEmail & "));ADsPath;subtree"
Set rs = cmd.Execute

If rs.BOF and rs.EOF Then
    ' no AD record returned, so write out an error in the spreadsheet
    wsData.Cells (i, STATUS_COL) = NOTFOUND_ERR
Else
    rs.MoveFirst
    userDN = rs.Fields(0).Value
    Set thisUser = GetObject(userDN)
    ' so far so good, the userDN was returned as follows, and the GetObject function threw no errors:
    'LDAP://CN=mylastname\, Bill, OU=Users,OU=Information Services,OU=Finance,DC=mydc1,DC=mydc2'
    ' Now comes the problem

    thisUser.Put "Employee-Number", wsData.Cells(i, SRC_EMPLOYEEID_COL)    '<<< This throws the automation error

    ' I tried to use a Get just to see if maybe I was able to do a read, but not a write, but it didn't work either

    adEmail = thisUser.Get("email")      '<<< This also throws the same automation error
'
'
'
    thisUser.SetInfo    '<<< I never make it to here

I am at a loss given the fact that the query to return the AdsPath works fine, but it seems the path it returns is invalid.

Thanks in advance for your help.

Bill

Team,

our organisation   hosted Active directory (xyz.com) and buisness application to third party DC and user who ever  login and accessing application from different site through wan. Now our organisation has plan to install Ad on on premises DC and users get authenticated locally. For successful migration please let me know the tools required for users and ad object migration and also profile to on premises AD.

Dear Experts,

Need some advice. I have 2 Windows 2008 DCs that are replicating with one another. Both server are running DHCP as well with different scopes serving different user segments. However, Id need to harden and patch the DCs one at a time. My concern is how can we prevent a downtime to users because of DHCP or is a downtime preferred etc?  Could you guys propose a better approach ? Thanks

Looking for some advice on how best to structure our active directory.

Our company is split into a number of regional companies (e.g. europe, americas africa, asia etc) with a single (global) parent company. The parent company only partly owns each of the regional companies.

The regional companies are basically autonomous and each run their own IT support operation. However they are all part of the same (single) AD domain and forest. There are around 30 DCs around the world.

The problem we are having now is security as there are over 30 domain admin accounts around the world. If a domain admin account was comprised in africa, it would have implications in all the other sites.

I'd be interested to hear what the recommended structure should be. Should we create a number of regional sub-domains and setup appropriate trusts?

I appreciate any advise.

ALG

I created a managed server account and gave "SERVER1$" rights to retrieve the password. I then tried to install the service account on server1, only to find that the command requires the active directory cmdlets. No problem, I thought! I imported a session from a random domain controller:

$ActiveDirectorySession = New-PSSession -ComputerName DC01
Invoke-Command -Session $ActiveDirectorySession -ScriptBlock {Import-Module ActiveDirectory}
Import-PSSession $ActiveDirectorySession -Module ActiveDirectory

Then I tried to run the install command:

Install-AdServiceAccount -Identity Server1MSA

But it failed!

Cannot install service account. Error Message: '{Access Denied}
A process has requested access to an object, but has not been granted those access rights.'.
    + CategoryInfo          : WriteError: (Server1MSA:String) [Install-ADServiceAccount], ADException
    + FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:InstallServiceAcccountFailure,Microsoft.ActiveDir
   ectory.Management.Commands.InstallADServiceAccount
    + PSComputerName        : DC01
 

Initially I thought that I hadn't granted the permissions correctly, but then I saw the problem:

    + PSComputerName        : DC01

Because I imported the cmdlets, the command of course runs on DC01.  So, how am I supposed to install a gMSA for a computer that doesn't have the AD cmdlets? I'm REALLY not in favour of installing the AD module on all my servers, and even if I install and later uninstall the cmdlets, would that suddenly make them break?

Hi Experts,

Good day,

How can we see how many users & computers are being authenticated to a particular DC ? is there any command that can extract the current user details which are authenticated ?

Cheers

Hi All,

When active directory created first time, it was created Turkish Language. But this makes some different installation problem (I couldn't find problem's main reason. so thinking about first directory services language). hovewer, i want to change default language to English language. Is it possible to change it.

Thank you

Please click "Vote As Helpful" if it is helpful for you and "Propose as Answer"

Hi everyone and thanks in advance by your help.

I have a 2003 domain (DDL and FFL = 2, previously 1) with two dc's, both are 2003, static IP (only IPv4), DNS pointing to itself on each one.

When a try to add a 2012r2 to the domain, this message pop up:

"An Active Directory Domain Controller (AD DC) for the domain “mdq.quarters.xxxxxx.com” could not be contacted"

DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "mdq.quarters.xxxxxx.com":
The query was for the SRV record for _ldap._tcp.dc._msdcs.mdq.quarters.xxxxx.com
The following domain controllers were identified by the query:
cliper.mdq.quarters.xxxxxx.com
cliper3.mdq.quarters.xxxxxx.com
However no domain controllers could be contacted.
Common causes of this error include:
- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network or are not running.

2012 Server DNS point to cliper ip and I can ping by FQDN with no problem to any DC on the domain.

I've checked with portqry the ports required by AD, and all looks fine, I can connect with all ports on both dc's.

All three servers are conected to the same switch.

DCdiag on both Dc's does not show any errors ( I run dcdiag /V /C /D /E /s:cliper.mdq.quarters.xxxxxx.com and dcdiag /e /v /test:dns)
repadmin /replsummary neither show any errors

I've searched a lot, and I´ve tried and tested a lot to and now I'm really run out of ideas.

Any one have a clue please? I'm really desperate :-(

Diego

Hi,

i am getting ready to introduce a new 2012 domain controller, i want to keep the same name and ip for dns and incase some applications are using the name of the server instead of the FQDN for ad authenticated applications.

this is what i am attempting to do

functional level at the forest and domain is 2003, is it best to move it to 2008 r2 before performing these steps?

1. Build temp VM and dcpromo this server with DNS

2. Swap primary DNS and temp DNS ip address ( so temp ip has the primary ip dns.)

3. transfer FSMO roles off server to a different DC

4. DCPROMO old 2008 r2 DC back to member server

5. remove server off domain(clean up check anything in sites and services and ntdutil for that name)

6. rename 2012 server as same name

7. Add ADDS role and promote to domain controller

8.  Swap IP with temp Server

9.  DC promo Temp 2008 VM and remove server

Our AD is as - 2 forests A and B. Under Forest A I have 1 tree domain A1. There is 2 way trust forest between A and B.

There exists a Enterprise root CA in Forest A  and a Subordinate CA in tree domain A1. My requirement is

1. Machines/users under Forest B should be able to get certificates from subordinate CA in tree domain A1. Is this possible technically?

2. To make it possible what are the configurations to be done in both forests?