Dear All

i have the Following error event id no: 13575.

This domain controller has migrated to using the DFS Replication service to replicate the SYSVOL share. Use of the File Replication Service for replication of non-SYSVOL content sets has been deprecated and therefore, the service has been stopped. The DFS Replication service is recommended for replication of folders, the SYSVOL share on domain controllers and DFS link targets.

Network Structure:

One Server windows server 2012 r2 standard has the DC, AD, DNS, DHCP and File and Storage Services (not the file server.)

this error appear with dirty shutdown.

the sysvol is shared by net share.

how to fix it?

Hi,

Active Directory 2016 introducing a new feature Expiring Links which allows the time based memberships. I am able to add the time based memberships using powershell. Here is the command to perform the same:

$ttl = New-TimeSpan -Hours 2
Add-ADGroupMember -Identity 'Domain Admins' -Members "CN=newuser1,CN=Users,DC=AD2016,DC=com" -MemberTimeToLive $ttl

This doesn't work when I run the commands using a remote powershell on Windows 2008 or 2012 as the earlier versions do not have the option '-MemberTimeToLive'.

1. If I have to use this feature using remote powershell on earlier versions, how can I do it? Do I need to install anything for this? 

2. Is this feature supported through LDAP interface? If yes, how the time limit can be specified?

Thanks in advance.

ishwar

I'm posting this in the DS section because this is only happening to my AD server and the exact same problems followed to a brand new AD server I just setup.

So to start, my AD server, lets call it AD1 started to randomly lock up.  This is a VM btw, host is Server 2012 and the AD server is 2012 as well.  The VM couldn't be shutdown, turned off nor could I kill the process running the VM.  I would have to restart the host and wait a good 15 minutes for it to get through "shutting down HV services".  The Application error logs show a trail of EventIDs 508, 531, 533:

lsass (544) The database engine attempted a clean write operation on page 123 of database C:\Windows\NTDS\ntds.dit. This action was performed in an attempt to correct a previous problem reading from the page.

As well as a bunch of 2000 range IDs regarding VSS freezes:

lsass (544) Shadow copy instance 3 freeze started.

Then from what I can tell this is the nail in the coffin, EventID 8193:

Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...).  hr = 0x80070005, Access is denied.
.

Operation:
   Initializing Writer

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {10add81e-ea1f-4829-9890-eea6c305ada3}

After a few days of trying to get this squared away and failing miserably I setup a new VM, lets call it AD2.  Installed Server 2012, AD DS, DFS, migrated everything over, it's also running DHCP, changed all clients to the new DNS, demoted AD1, removed AD1, deleted AD1.  For 24 hours everything ran great, no problems.  This new VM is also on a different host.  Then out of nowhere, all these exact same EventIDs started popping up and this new VM now locks up.

I'm at a loss at this point.  The host isn't the issue, the hardware isn't the issue (many other VMs on both hosts running fine, both hosts at 40% resources used, HP Servers Gen7).  New VM, new VHD, new install.  The only other piece of software on this server is System Center Endpoint Protection.  I have %systemroot%\ntds\ntds.dit excluded site wide from the antivirus engine.

Regarding the ESENT IDs reporting write errors these are all the listed files with issues:

lsass - ntds.dit
svchost - svc.log

This EventID is new on the new server (AD2), I never saw this on AD1:

lsass (544) The database cache size maintenance task has taken 239 seconds without completing. This may result in severe performance degradation. Current cache size is 41 buffers above the configured cache limit (111 percent of target). Cache size maintenance evicted 0 buffers, made 1 flush attempts, and successfully flushed 0 buffers. It has run 32977 times since maintenance was triggered.

This server is fully updated.  I used ntdsutil to perform a file integrity check as well as semantic database analysis and both checked out fine. 

Hopefully someone can help me out here and point me in some diag directions that I've missed.  I would greatly appreciate any help!

Hi all,

Having a problem with my WAP server. I've configured ADFS, and installed the relevant SSL certificate for fs.mywebsite.co.uk

When attempting to run the WAP Configuration Wizard, I enter the relevant server details and select the SSL certificate, however when it runs, I receive a message saying "An error occurred when attempting to establish a trust relationship with the federation service. Error: Service unavailable". What could this be?

All Servers are 2012 R2.

Kind regards,

Tom

Hi,

How do I cleanup a DC which is NOT gracefully demoted, but already deleted from AD Sites?
Any KB's?

As I know, metadata cleanup will detect only the DC's which are found in AD Sites.


Thank you,
Subhash

Readed many articls about scripting enable "Manager can update membership list" of AD Group, also I wrote the scirpt, I think it should be fine to run.

after debuging, get access is denied during the last set-acl .

My Id have domain Subou(the group reside in) admin rights ,but not for all domain OUs.

I think the error because ,

1. get-acl contents many supper admin ids in.

2. when modified the acl in memeory, then set-acl re-write to group.  the problem is I don't have rights to write those supprer admins ids

infact, I just want to update, not willing to re-write back all acl.

Any solution for me ?  I think if run by enterprise admin, it should be work fine.

$GroupList="D:\Work\GroupNameList.txt"

$GUID = [System.Guid] 'bf9679c0-0de6-11d0-a285-00aa003049e2'
$SID  = (get-adgroup "AdminDL-Group Admin" -Properties SID).SID
$CTRL = [System.Security.AccessControl.AccessControlType]::Allow
$Rights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty
$inType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None
$Rule   = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($SID,$Rights,$CTRL,$GUID,$inType)




Get-Content $GroupList | %{
                                $acl= Get-Acl AD:$((Get-ADGroup $_ ).DistinguishedName)
                                $acl.AddAccessRule($Rule)
                                set-acl -aclobject $acl -Path AD:$((Get-ADGroup $_ ).DistinguishedName)
                           }

Set-Acl : Access is denied
At D:\work\UpdatingGroupManager.ps1:16 char:40
+                                 set-acl <<<<  -aclobject $acl -Path AD:$((Get-ADGroup $_ ).DistinguishedName)
    + CategoryInfo          : PermissionDenied: (CN=D4701R...S,DCC,DC=com:String) [Set-Acl], UnauthorizedAcce
   ssException
    + FullyQualifiedErrorId : ADProvider:SetSecurityDescriptor:AccessDenied,Microsoft.PowerShell.Commands.SetAclComman
   d

夏天

Hi,

I have created user shares on server 2012 R2 in ADDS environment. The user shares is holding user's home drives, end user has access on home drives and administrators have access via domain admin groups.

So Share NTFS permissions looks something like this

https://i.imgur.com/f45h15C.png

When I try to access user folder (home drive) underneath the root share. I get following warning

https://i.imgur.com/9N2iNCr.png

I need to click on continue to access, doing so adds my logon account to the ACL with full access.

https://i.imgur.com/W3AMcaS.png

Although my account is a member of domain admin group why I am getting the prompt and then my logon id granted full access to the folder.

Do you notice anything wrong with the permissions.

Regards, Navdeep

I have a Domain A in Forest A issuing Smart Card Credentials.  I have another domain B in Forest B that is used for demonstration purposes to demonstrate smartcard logon.  We use the Credentials issued by Domain A to login to Domain B by using Name Mapping.  We have a third domain C that is production for internal use.  SmartCard Logon works when the KDC certificates issued to domain controllers in Domain B are signed from Domain A.  If signing with Domain C smart card logon does not work for the user we are attempting although the certutil -dcinfo verify command shows a KDC Certificate and no other issues.

Summary...

3 Domains in 3 Separate Forests

Domain A issues Smart Cards

Domain B uses those credentials to login using Name Mapping

Domain C signs KDC certificates and users can not logon

Domain A signs KDC certificates and users can logon

In a multiple CA environment with multiple forests is there a requirement dictating what domain or forests's CA must sign the KDC certificate for domain controllers?

We have sql server on windows 2012 phy server and we assigned 2 ip address for SQL-LSP-01 .

1- 192.168.x.x

2 - 192.168.x.x

first ip to hostname is resolved but second one is not resolved

suggest where to change in dns and which entry should create host or A?

Thanks

Hi,

Im kind of new to Windows Active directory environment. Recently in my company there is project has been initiated to replace exiting active directory windows 2008 r2 to window 2012 r2.

Initially we have two DC server (srv1 and srv2) installed with windows 2008 r2 server and srv1 is the PDC. Now as part of the project we have added two new DC (srv3 and srv4) installed with windows 2012 r2 in our AD environment. Now we have have 4 DC 2xwindows 2008 and 2x windows 2012. After adding the new DC (windows 2012) we have started encountering an issue with our CIFS file server files. The issue if the client PC log-on server become srv1 or srv2 then CIFS files are fine accessible as per the ACL but if the client PC log-on server become srv3 or srv4 (which is NEW DC windows 2012) then CIFS files on the file server become read-only mood and cant able to do any write operation even though the ACL is permitted.

I have gone through many sites but couldnt find any such solution regarding this. As project dead-line pretty near and Im kind of new to windows AD environment so it would be appreciable somebody could help on this. 

Hi,

After migrated user and computer account with ADMT 3.2 from ADDS 2003 (w2k3 domain and forest functional level) to ADDS 2012 R2 (w2k12 r2 domain and forest functional level) without SID History, computers does not apply new target domain GPOs, but old source domain GPOs.

When I ran GPO Results from gpmc.msc console, It shows in computer configuration the following:

In general the Group Policy Results show that I'm consulting newdomain\myMigratedUser on olddomain\MyMigratedComputer.

So could you help me to know, why GPO is applying user configuration correctly and failed for computer configuration, because appears that new domain can't recognize the migrated computer to be in new domain, It still recognizing the migrated computer like it is in the old domain.

Thank you so much for your help.

Hi, I have two forest with four domain controller, two each, one principal one replica, I have a bidireccional forest trust between the two forests, I have created dns stub zones between Active Directories so each forest can reslov to the other one.

Now, my question is about t Forwarders tab located on each of the four Domaind controllers, what should I put there?

Right know I have something like this:

DC1.mycompany.com: The DNS servers of my Public DNS provider/ISP

DC2.mycompany.com: The same as above

DC1.newcompany.com: Nothing

DC2.newcompany.com: The ip address of DC1.newcompany.com

What should the correct settings be? for each of the four DC's

Thank you

I have a WAN of 4 subnetworks, two are geographically close, the other two at either end of the country.

I have a single domain with two AD servers, one AD server geographically "in the middle"  of the country and another "at the far end".

At the moment the "far end" AD server is advertising itself as the preferred server to all requests and causing problems with latency for clients "in the middle" and at "the other end".

How do I make it so that the "middle" server is the preferred server for the geographically closest subnets, and the "far end" server handles "far end" clients?

Hi. I have two server with Windows Server 2008 version. For example AD-1(FSMO) and AD-2(slave)

Both GC (Global Catalog) in the same domain. The level of the Domain is 2008.

Since two days ago, every account that expires their password, get blocked by Directory Services.

In the blocked account i fund in the Event Viewer, in the Directory Services this warning (after some hours or an "gpupdate"):

--------------------------------------------------------------------------------------------------------------------------------------------------

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          "time"
Event ID:      1955
Task Category: Replication
Level:         Information
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      AD-1(master)
Description:
Active Directory Domain Services encountered a write conflict when applying replicated changes to the following object.

object: CN=DOMAIN..etc.etc.. "User"..

Event log entries preceding this entry will indicate whether or not the update was accepted.
 

A write conflict can be caused by simultaneous changes to the same object or simultaneous changes to other objects that have attributes referencing this object. This commonly occurs when the object represents a large group with many members, and the functional level of the forest is set to Windows 2000. This conflict triggered additional retries of the update. If the system appears slow, it could be because replication of these changes is occurring.

 ---------------------------------------------------------------------------------------------------------------------------------------------------------

 If you unlock the account it gets blocked after 4 or 5 minutes. Without reason. I didn't see any "acces failed attempts", in any AD or Exchange Server. Even when the user it's not logued in or using any service.

I did a 'dcdiag /v' and didn' t find anything. The replication simply works fine. I tried to create a .txt file in the sysvol directory, with a instant replication. I have discarded NTDS problem... Even did a ntdsutil metadata cleanup.

------------------------------------------------------------------Also i have this.....rare----------------------------------------------------

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          7/4/2016 10:54:24 AM
Event ID:      2887
Task Category: LDAP Interface
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      AD-1
Description:

During the previous 24 hour period, some clients attempted to perform LDAP binds that were either:
(1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or
(2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection
 
This directory server is not currently configured to reject such binds.  The security of this directory server can be significantly enhanced by configuring the server to reject such binds.  For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
 
Summary information on the number of these binds received within the past 24 hours is below.
 
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind.  To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
 
Number of simple binds performed without SSL/TLS: 19
Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxxx}" EventSourceName="NTDS LDAP" />
    <EventID Qualifiers="32768">2887</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>16</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="TIME" />
    <EventRecordID>9760</EventRecordID>
    <Correlation />
    <Execution ProcessID="788" ThreadID="972" />
    <Channel>Directory Service</Channel>
    <Computer>AD-2</Computer>
    <Security UserID="S-1-5-7" />
  </System>
  <EventData>
    <Data>19</Data>
    <Data>0</Data>
  </EventData>
</Event>

I'm unable to join a server to a domain.  I get the message:  DNS was successfully queried for service location (SRV) resource record used to locate a domain controller for domain "XYZ_A":

The query was for the SRV record for _ldap._tcp.dc._msdcs.XYZ_A

The following domain controllers were identified by the query:

DC1.XYZ_A

DC2.XYZ_A

However no domain controllers could be contacted.  Common causes of this error include:

-Host (A) or (AAAA) records that map the names of the domain controllers to their IP addressses are missing or contain incorrect addresses. 

-Domain controllers registered in DNS are not connected to the network or are not running

---------------------------------

So here is what I'm able and not able to do from this server that I'm trying to join to the domain:

1.  I couldn't ping DC1 or DC2.  I could ping the FQDN DC1.XYZ_A though, so what I did is added a DNS suffix and now I can ping DC1 or DC2 just fine.  I still get the same error when trying to add it to the domain though.  

2.  I cannot ping the domain XYZ_A.  When I run nslookup XYZ_A it finds the domain controller but it says "can't find XYZ_A:Non-existent domain".  

This server is a VM located in the cloud.  It is on a different network than the domain controller that I'm trying to contact.  The DNS server that I have in the iPv4 settings is the domain controller I'm trying to contact.  The DNS entries seem correct but I might be missing something.  

Anyone have any suggestions?  

Hello, 

I've got an issue with the replication topology within my domain which consists of 11 sites. Every domain controller NTDS settings has automatically generated a connection to only one server so its running a hub and spoke topology. I'm wanting a full mesh replication topology and don't understand why I'm only getting hub and spoke.

The subnets have all been created and assigned to the right sites. 

The Inter-Site Transports are all configured correctly as I can tell. 

A DFS replication health report shows no errors. 

The DFS propagation report shows massive delays with replication, 5 out of 11 sites complete within a second and the others are left pending for a few minutes with the Azure site taking nearly 3 days! I've put that down to the fact that the azure site replicates with the incorrect site and not with the site I've configured in the Inter-Site Transport. 

What can I do to ensure a full mesh replication topology? 

Thanks

Simon

Hello

Using PowerShell I want to create script for following tasks

1. Create AD Account & Exchange Mailbox in on-premises and Sync new AD Objecy with Azure coud and assign license

2. Based on the new AD object time stamp, want User mailbox migrate to office365 cloud and assign license, litigation hold etc
3.. Once creation is completed email should trigger to user or manger on the id creation
4. How to delete AD Object and recover the license

5. Is the possible that Office365 mailbox will be put on in-place hold for eDiscovery using PowerShell?

Please advise

Avian

Environment

Active Directory OS = 2008R2

Agenda

Our agenda is 2 factor authentication.

Query-1

We want a user insert password (one part of password is Active Directory password plus one it receives via SMS on his/her mobile phone)

Query-2

If query-1 is possible then we also want to implement it only for those users who dial-in (dial-up users)

Any comment will be appreciated. Thanks. Zahid Haseeb.

Hello,
I know there are few topics like this, but I cannot find the same problem I'm facing.

I had a Win2003 DC which was working just fine. I installed a new Win2012 R2 server, promoted as new DC, moved all FSMO roles and keep both of them working. No problem since here.

Then I demoted (forceremoval) the old 2003 and now the domain seems not to exist anymore.

If I try to open AD Site and Services I get this error: 
"Naming information cannot be located because:
The specified domain either does not exist or could not be contacted.
Contact your system administrator to verify that your domain is properly configured and is currently online"

So I checked AD Domains and Trusts, similar error:
"The configuration information describing this enterprise is not available. The specified domain either does not exist or could not be contacted."

I've also errors on the event viewer: 
"Active Directory Domain Services was unable to establish a connection with the global catalog. 

 Additional Data 
Error value:
1355 The specified domain either does not exist or could not be contacted. 
Internal ID:
32013fa 

User Action: 
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem." ntac

If I open the AD Administrative Center I get this error:
"Cannot connect to any domain. Refresh or try again when connection is available"

Here I can find my domain:
SCAA (local) with a red mark as if it is not available and if I try to change the domain controller I get an error:
"Cannot find an available server in the SCAA domain that is running the Active Directory Web Service (ADWS)"

If I start the server manager and try to add the role as Domain Controller again, the system shows a grey option related to this because it is already installed.

Any help?

Thanks and BR,
M