Some atributes of a user is shown as 0ADEL

This user was created in an old and PROPERLY decomissioned DC

the user was created in 2011 and the DC was PROPERLY decomissioned in 2015 (using sites and services and duble-chekced in NTDSUTIL/metadacluenaup procedure)

it´s ok, the user object to show a lot of 0ADEL strings in its attributes?

Loc.USN                           Originating DSA  Org.USN  Org.Time/Date        Ver Attribute

=======                           =============== ========= =============        === =========

  21984 SITENAME\OLD_DC_NAME\0ADEL:f06e23e5-604c-4fdf-a74c-c7e8abf7623a (deleted DSA)  16172698 2011-05-31 14:50:22    1 c

  21984 SITENAME\OLD_DC_NAME\0ADEL:f06e23e5-604c-4fdf-a74c-c7e8abf7623a (deleted DSA)  16172698 2011-05-31 14:50:22    1 l

  21984 SITENAME\OLD_DC_NAME\0ADEL:f06e23e5-604c-4fdf-a74c-c7e8abf7623a (deleted DSA)  16172698 2011-05-31 14:50:22    1 st

8939182 SITENAME\OLD_DC_NAME\0ADEL:f06e23e5-604c-4fdf-a74c-c7e8abf7623a (deleted DSA)  43550616 2013-11-11 17:41:04    2 description

  21984 SITENAME\OLD_DC_NAME\0ADEL:f06e23e5-604c-4fdf-a74c-c7e8abf7623a (deleted DSA)  15834170 2011-05-23 21:57:10    1 physicalDeliveryOfficeName

37552270 SITENAME\OLD_DC_NAME\0ADEL:f06e23e5-604c-4fdf-a74c-c7e8abf7623a (deleted DSA)  62673189 2016-01-29 17:39:16    3 userCertificate

  21984 SITENAME\OLD_DC_NAME\0ADEL:f06e23e5-604c-4fdf-a74c-c7e8abf7623a (deleted DSA)  15836301 2011-05-23 22:41:09    1 givenName

  21984 SITENAME\OLD_DC_NAME\0ADEL:f06e23e5-604c-4fdf-a74c-c7e8abf7623a (deleted DSA)  16172698 2011-05-31 14:50:22    1 co

  21984 SITENAME\OLD_DC_NAME\0ADEL:f06e23e5-604c-4fdf-a74c-c7e8abf7623a (deleted DSA)  16172698 2011-05-31 14:50:22    1 streetAddress

 185327 SITENAME\OLD_DC_NAME\0ADEL:f06e23e5-604c-4fdf-a74c-c7e8abf7623a (deleted DSA)  16898026 2011-06-17 16:18:49    3 nTSecurityDescriptor

  21984 SITENAME\OLD_DC_NAME\0ADEL:f06e23e5-604c-4fdf-a74c-c7e8abf7623a (deleted DSA)  13496333 2011-03-17 22:11:35    6 name

  21984 SITENAME\OLD_DC_NAME\0ADEL:f06e23e5-604c-4fdf-a74c-c7e8abf7623a (deleted DSA)  16172698 2011-05-31 14:50:22    2 countryCode

9330979 SITENAME\OLD_DC_NAME\0ADEL:f06e23e5-604c-4fdf-a74c-c7e8abf7623a (deleted DSA)  43742207 2013-11-25 11:06:25    2 homeDirectory

9330979 SITENAME\OLD_DC_NAME\0ADEL:f06e23e5-604c-4fdf-a74c-c7e8abf7623a (deleted DSA)  43742207 2013-11-25 11:06:25    2 homeDrive

  21984 SITENAME\OLD_DC_NAME\0ADEL:f06e23e5-604c-4fdf-a74c-c7e8abf7623a (deleted DSA)  10306098 2011-01-03 15:56:10    1 adminCount

24041797 SITENAME\OLD_DC_NAME\0ADEL:f06e23e5-604c-4fdf-a74c-c7e8abf7623a (deleted DSA)  53569439 2015-02-26 15:48:19    3 userPrincipalName

it´s ok, the user object to show a lot of 0ADEL strings in its attributes?

We are trying to build an API, which will accept User Active Directory Credentials and return them a SAML token. We have narrowed down to use usernameMixed Endpoint.

/adfs/services/trust/13/UsernameMixed

We like to add email as part of the response claim to this endpoint, currently only UPN is returned. Can you Please help me with details as to where we can configure it.

Thank you in Advance.

Hi,

I have promoted the new AD server DC02 ( Windows server 2012 R2) but getting error opening DNS that " Server could not be contacted. Error: DNS service is unavailable".

Even when I am trying to replicate from DC01 to DC02 from Site-Services NTDS setting I am getting error of

"

The following error occured during the attempt to synchronize naming context domain.com from dc01 to dc02: The replication operation was preempted. 
This operation will not continue."

And I am getting below events continuously id DC02

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          7/28/2016 4:17:36 AM
Event ID:      1925
Task Category: Knowledge Consistency Checker
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:     DC02.domain.com
Description:
The attempt to establish a replication link for the following writable directory partition failed. 

Directory partition: 
DC=DomainDnsZones,DC=domain,DC=com 
Source directory service: 
CN=NTDS Settings,CN=dc3-01,CN=Servers,CN=dc3,CN=Sites,CN=Configuration,DC=domain,DC=com 
Source directory service address: 
4f4ff36c-95a1-4999-8f24-b8304995fe62._msdcs.domain.com 
Intersite transport (if any): 
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=domain,DC=com  

This directory service will be unable to replicate with the source directory service until this problem is corrected. 

User Action 
Verify if the source directory service is accessible or network connectivity is available. 

Additional Data 
Error value: 
1722 The RPC server is unavailable.
------------------------------------------------------------------------------------------------------------------------------------------------------

Another Event is:

Log Name:      DNS Server
Source:        Microsoft-Windows-DNS-Server-Service
Date:          7/28/2016 4:21:19 AM
Event ID:      4013
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      DC02.domain.com
Description:
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

Regards,

Jitendra

I have 18 DCs in a highly-ditributed enviroment

Months ago we decomissioned (using sites and services and Ntdsutil for good measure) 2 DCs

On of the DCs still appears in NETDOM QUERY DC as alive!

There is no DNS record, it was removed on DCPROMO removal operation

There is no reference in WINS database (yes, i still use it)

Hello all,

First, the question:  Is there a way to exclude/isolate a particular computer from a cross-forest trust?

Now, the details:

I am working on a project to decommission an acquired domain.  Part of this is to change a user account in the acquired domain (we'll call it Domain2) that is hard-coded on developer computers to a new user in the primary domain (Domain1). The same Domain2\user is hard-coded on all developer boxes.  The computers themselves have already been migrated to Domain1.

Once I change the Domain2\user to the new Domain1\user on one machine, I need to be able to test functionality and see if I missed anythingwithout taking all of the developers down (hence, I can't just sever the trust, test, and add it back).  The ideal way I can think of - if possible - is to exclude a particular computer from partaking in the trust between Domain1 and Domain2. 

Does anyone know of a way to do this?  I was considering making fake hosts entries on the computer to "blackhole" all of the Domain2 DCs, but not sure if that would work.

Any ideas would be greatly appreciated.

Cheers!

I've 186 ADC.

In Replication it's using high bandwidth & the total utilization is approx 20 - 30 GB in a day.

I have an Amazon AWS simple directory service, just a "proxy" directory, so the AWS workspaces could be integrated to my AD/DC environment

But i´ve noticed that Amazon AWS does a DNS query for ldap SRV DNS records, choose one among my 18 DCs and connects, always changing. Amazon does not query using techniques like using sites or nothing related to subnet, just look for a simple SRV record QRecord: _ldap._tcp.DOMAIN_FQDN of type SRV on class Internet

But i have two DC replicas in the same network as AWS and i woul like to make sure Amazon AWS LDAP always connetc to the closest DCs

I think that changing SRV priority or other parameters will force everyone in the corp to use these records, if so, it´s not a good option

Hi All,

What are the challenges or issues or consideration to in place upgrade of domain controller from server 2012 to Server 2012 R2, in place upgrade is safe ?<o:p></o:p>

Please provide your thoughts on this query, it will really help me to take decision for domain controller upgrade.

<o:p>Thanks </o:p>

Variants of the following work for me, but once I add an IP-Address filter, it never fires: I am asked to MFA on the machine with IP 145.151.139.145. So what is wrong or how can I debug to see what the x-ms-client-ip is returning for a given call (logfile?) Any tips appreciated!

$RhtMfaClaimRule = 'NOT EXISTS([type =="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip", Value =~ "^(?i)81.151.139.145$"]) => add(type = "http://schemas.company.com/temp", value = "true" );
c1:[type == "http://schemas.company.com/temp"] &&
c2:[type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", value == "false"] => issue(type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", value = "http://schemas.microsoft.com/claims/multipleauthn" );'

Set-AdfsAdditionalAuthenticationRule $RhtMfaClaimRule

After hours of frustration i decided to post my question on the Microsoft forum. I'm hoping that someone can help me out.

I recently started a project to split our enormous fileservers into multiple smaller fileservers. Last week i tried to migrate our fileserver containing the homedirectorys of 3000 user account. It has 5 disks (1 disk per site). These disks needed to be equaly devided along 2 new fileservers.

To summarize our current DFS structure

Root DFS namespace: \\example.com\data\

• Fileserver (SERVER01) had 1 shared folder (HOME) containing multiple mountpoints (site1 / site2 / site3 /site 4 / site5)
• DFS folder target \\example.com\data\home pointing at \\SERVER01\Home

New situation

• From the DFS management console we deleted the old DFS namespace folder \\example.com\data\home and created a new folderwith the same name (no target attached to this folder)
• We then created multiple subdirectorys under \\example.com\data\home

It would look something like:

• \\example.com\data\home > no DFS folder target
• \\example.com\data\home\site1 > DFS folder target pointing to \\SERVER01\SITE01
• \\example.com\data\home\site2 > DFS folder target pointing to \\SERVER01\SITE02
• \\example.com\data\home\site3 > DFS folder target pointing to \\SERVER02\SITE03
• \\example.com\data\home\site4 > DFS folder target pointing to \\SERVER03\SITE04

Share- and NTFS permissions where the same as before.

After the migration our clients where not able to access the new DFS folder or subdirectorys \\example.com\data\home

When i renamed the 'Home' folder to something else eg \\example.com\data\testing it worked perfectly

Looked like some sort of caching was in the way so i waited about an hour or so and tested again, but still the same result.

Whats going on?

We are just wondering why there a user that automatically added on the Security Tab



Hello,

Looking to extend our On-Prem Active Directory domain into another DataCenter, or 'Cloud Provider'.  Firewalls will be open from the Cloud provider to our On-Prem Read/Write Domain Controllers, but we will also place an RODC on the floor to support 'work continuation' in the event the Wan link is lost and for better performance.

Is it generally acceptable to assign all the server subnets for servers which reside on the Cloud Provider floor to the RODC?  Any joins, etc will be handled by the On-Prem Read/Write DCs.  Also, if anyone can provide links to info specific to this topic, I'd appreciate it.

Thanks for your help! SdeDot

Hello,<o:p></o:p>

We are facing replication issue between to servers, both servers are in same sites.<o:p></o:p>

We are getting error like “There are no more endpoints available from the endpoint mapper, with code 1753. (0*6d9)”.<o:p></o:p>

Thanks in advance

I'm posting this in the DS section because this is only happening to my AD server and the exact same problems followed to a brand new AD server I just setup.

So to start, my AD server, lets call it AD1 started to randomly lock up.  This is a VM btw, host is Server 2012 and the AD server is 2012 as well.  The VM couldn't be shutdown, turned off nor could I kill the process running the VM.  I would have to restart the host and wait a good 15 minutes for it to get through "shutting down HV services".  The Application error logs show a trail of EventIDs 508, 531, 533:

lsass (544) The database engine attempted a clean write operation on page 123 of database C:\Windows\NTDS\ntds.dit. This action was performed in an attempt to correct a previous problem reading from the page.

As well as a bunch of 2000 range IDs regarding VSS freezes:

lsass (544) Shadow copy instance 3 freeze started.

Then from what I can tell this is the nail in the coffin, EventID 8193:

Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...).  hr = 0x80070005, Access is denied.
.

Operation:
   Initializing Writer

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {10add81e-ea1f-4829-9890-eea6c305ada3}

After a few days of trying to get this squared away and failing miserably I setup a new VM, lets call it AD2.  Installed Server 2012, AD DS, DFS, migrated everything over, it's also running DHCP, changed all clients to the new DNS, demoted AD1, removed AD1, deleted AD1.  For 24 hours everything ran great, no problems.  This new VM is also on a different host.  Then out of nowhere, all these exact same EventIDs started popping up and this new VM now locks up.

I'm at a loss at this point.  The host isn't the issue, the hardware isn't the issue (many other VMs on both hosts running fine, both hosts at 40% resources used, HP Servers Gen7).  New VM, new VHD, new install.  The only other piece of software on this server is System Center Endpoint Protection.  I have %systemroot%\ntds\ntds.dit excluded site wide from the antivirus engine.

Regarding the ESENT IDs reporting write errors these are all the listed files with issues:

lsass - ntds.dit
svchost - svc.log

This EventID is new on the new server (AD2), I never saw this on AD1:

lsass (544) The database cache size maintenance task has taken 239 seconds without completing. This may result in severe performance degradation. Current cache size is 41 buffers above the configured cache limit (111 percent of target). Cache size maintenance evicted 0 buffers, made 1 flush attempts, and successfully flushed 0 buffers. It has run 32977 times since maintenance was triggered.

This server is fully updated.  I used ntdsutil to perform a file integrity check as well as semantic database analysis and both checked out fine. 

Hopefully someone can help me out here and point me in some diag directions that I've missed.  I would greatly appreciate any help!

I am running a Server 2008R2 environment with a single domain controller (Once this issue is figured out, I will be adding a second domain controller).

I have found that every hour I get 3 events in the AD DS event log:

• Error 1126 - Error Value 1355: The specified domain either does not exist or could not be contacted.

• Warning 1655 - Error Value 5: Access is denied
• Information 1869

From what I have read with the events and related documents, is that this means my domain controller is having difficulties communicating with the global catalog. I have verified that this DC is set up to be a global catalog, so I can't figure out why it can't find a global catalog that it is itself hosting. 

I'm not sure if it is related, but I am also seeing Group Policy Error 1055 in event viewer, saying that processing of group policy failed because Windows could not resolve the computer name, also giving error code 5: Access is Denied.

ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : [DC1_Hostname]
   Primary Dns Suffix  . . . . . . . : [domain.local]
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : [domain.local]

Ethernet adapter Local Area Connection 4:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #3
   Physical Address. . . . . . . . . : 00-50-56-A5-00-07
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e013:a1f7:139c:9d5e%16(Preferred)
   IPv4 Address. . . . . . . . . . . : [DC1_IP](Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : [Subnets gateway]
   DHCPv6 IAID . . . . . . . . . . . : 318787670
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-4B-29-13-00-50-56-AD-6D-25
   DNS Servers . . . . . . . . . . . : [DC1_IP]
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{19C7C892-AE65-40E0-8117-38386472FD97}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

dcdiag

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = [DC1_Hostname]

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests


   Testing server: Default-First-Site-Name\[DC1_Hostname]

      Starting test: Connectivity

         ......................... [DC1_Hostname] passed test Connectivity



Doing primary tests


   Testing server: Default-First-Site-Name\[DC1_Hostname]

      Starting test: Advertising

         ......................... [DC1_Hostname] passed test Advertising

      Starting test: FrsEvent

         ......................... [DC1_Hostname] passed test FrsEvent

      Starting test: DFSREvent

         ......................... [DC1_Hostname] passed test DFSREvent

      Starting test: SysVolCheck

         ......................... [DC1_Hostname] passed test SysVolCheck

      Starting test: KccEvent

         A warning event occurred.  EventID: 0x80000677

            Time Generated: 07/28/2016   13:10:13

            Event String:

            Active Directory Domain Services attempted to communicate with the following global catalog and the attempts were unsuccessful.


         An error event occurred.  EventID: 0xC0000466

            Time Generated: 07/28/2016   13:10:13

            Event String:

            Active Directory Domain Services was unable to establish a connection with the global catalog.


         ......................... [DC1_Hostname] failed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... [DC1_Hostname] passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... [DC1_Hostname] passed test MachineAccount

      Starting test: NCSecDesc

         ......................... [DC1_Hostname] passed test NCSecDesc

      Starting test: NetLogons

         ......................... [DC1_Hostname] passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... [DC1_Hostname] passed test ObjectsReplicated

      Starting test: Replications

         ......................... [DC1_Hostname] passed test Replications

      Starting test: RidManager

         ......................... [DC1_Hostname] passed test RidManager

      Starting test: Services

         ......................... [DC1_Hostname] passed test Services

      Starting test: SystemLog

         An error event occurred.  EventID: 0x0000041F

            Time Generated: 07/28/2016   12:18:46

            Event String:

            The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:


         An error event occurred.  EventID: 0x0000041F

            Time Generated: 07/28/2016   12:23:47

            Event String:

            The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:


         An error event occurred.  EventID: 0x0000041F

            Time Generated: 07/28/2016   12:28:49

            Event String:

            The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:


         An error event occurred.  EventID: 0x0000041F

            Time Generated: 07/28/2016   12:33:50

            Event String:

            The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:


         An error event occurred.  EventID: 0x0000041F

            Time Generated: 07/28/2016   12:38:52

            Event String:

            The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:


         An error event occurred.  EventID: 0x0000041F

            Time Generated: 07/28/2016   12:43:53

            Event String:

            The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:


         An error event occurred.  EventID: 0x0000041F

            Time Generated: 07/28/2016   12:48:55

            Event String:

            The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:


         An error event occurred.  EventID: 0x0000041F

            Time Generated: 07/28/2016   12:53:57

            Event String:

            The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:


         A warning event occurred.  EventID: 0x0000A001

            Time Generated: 07/28/2016   12:55:58

            Event String:

            The Security System could not establish a secured connection with the server LDAP/[DC1_Hostname].tesst.local/tesst.local@TESST.LOCAL. No authentication protocol was available.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 07/28/2016   12:57:22

            Event String:

            Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 07/28/2016   12:57:23

            Event String:

            Driver Xerox Phaser 8500DN required for printer Xerox Phaser 8500DN is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 07/28/2016   12:57:26

            Event String:

            Driver Brother HL-3075CW series required for printer Brother HL-3075CW series (Copy 1) is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x00000457

            Time Generated: 07/28/2016   12:57:28

            Event String:

            Driver Brother HL-3075CW series required for printer Brother HL-3075CW series is unknown. Contact the administrator to install the driver before you log in again.

         An error event occurred.  EventID: 0x0000041F

            Time Generated: 07/28/2016   12:58:58

            Event String:

            The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:


         An error event occurred.  EventID: 0x0000041F

            Time Generated: 07/28/2016   13:04:00

            Event String:

            The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:


         An error event occurred.  EventID: 0x0000041F

            Time Generated: 07/28/2016   13:09:01

            Event String:

            The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:


         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 07/28/2016   13:12:37

            Event String:

            Name resolution for the name 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa timed out after none of the configured DNS servers responded.

         An error event occurred.  EventID: 0x0000041F

            Time Generated: 07/28/2016   13:14:03

            Event String:

            The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:


         ......................... [DC1_Hostname] failed test SystemLog

      Starting test: VerifyReferences

         ......................... [DC1_Hostname] passed test VerifyReferences



   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation


   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation


   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation


   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation


   Running partition tests on : tesst

      Starting test: CheckSDRefDom

         ......................... tesst passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... tesst passed test CrossRefValidation


   Running enterprise tests on : tesst.local

      Starting test: LocatorCheck

         ......................... tesst.local passed test LocatorCheck

      Starting test: Intersite

         ......................... tesst.local passed test Intersite

dcdiag /test:dns

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = [DC1_Hostname]

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests


   Testing server: Default-First-Site-Name\[DC1_Hostname]

      Starting test: Connectivity

         ......................... [DC1_Hostname] passed test Connectivity



Doing primary tests


   Testing server: Default-First-Site-Name\[DC1_Hostname]


      Starting test: DNS



         DNS Tests are running and not hung. Please wait a few minutes...

         ......................... [DC1_Hostname] passed test DNS


   Running partition tests on : ForestDnsZones


   Running partition tests on : DomainDnsZones


   Running partition tests on : Schema


   Running partition tests on : Configuration


   Running partition tests on : [domain]


   Running enterprise tests on : [domain.local]

      Starting test: DNS

         Test results for domain controllers:


            DC: [DC1_Hostname].[domain.local]

            Domain: [domain.local]




               TEST: Dynamic update (Dyn)
                  Warning: Failed to delete the test record dcdiag-test-record in zone [domain.local]

         Summary of test results for DNS servers used by the above domain

         controllers:



            DNS server: 128.8.10.90 (d.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
            DNS server: 2001:500:1::53 (h.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:1::53
            DNS server: 2001:500:2::c (c.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2::c
            DNS server: 2001:500:2d::d (d.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2d::d
            DNS server: 2001:500:2f::f (f.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2f::f
            DNS server: 2001:500:84::b (b.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:84::b
            DNS server: 2001:500:9f::42 (l.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:9f::42
            DNS server: 2001:503:ba3e::2:30 (a.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:ba3e::2:30
            DNS server: 2001:503:c27::2:30 (j.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:c27::2:30
            DNS server: 2001:7fd::1 (k.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fd::1
            DNS server: 2001:7fe::53 (i.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fe::53
            DNS server: 2001:dc3::35 (m.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:dc3::35
               [DC1_Hostname]                 PASS PASS PASS PASS WARN PASS n/a
         ......................... [domain.local] passed test DNS

Thanks for any help! Let me know what other information would be helpful!

We have a project where we need to create/add a child domain to our existing forest.  We've already created a virtual server that will be the DC for this new child domain. 
In order to create this child domain, it appears we first need to create a site, then create a site link before we can actually run DCPromo to make this a Domain Control.

When attempting this site creation, it states we have to pick a site link but we don't want the site associated with any of the existing site links (for the parent domain) so we cancelled out of the process.
We then attempted to make a site link (before we created the site) but again, since the site wasn't created yet it was trying to associate with a site for the parent domain; again we cancelled out.

This seems like a catch-22 cycle - need a site link to associate to the site and a site to associate to the site link. (sorry, not sure what I did to change the font size and don't see anyway to change it back)

First, if we create a site and associate it to an existing site link, would we be able to change that later?
Then after this site creation, could we create a new site link and associate that one to the site we just created?
Could we then delete the first link association from the newly created site?

All the above questions are very similar so forgive the repetition.  Any help would be greatly appreciated. 

Hello, I hope someone can help.

We have 1 Primary ADFS server and 1 Secondary ADFS server (also 2 proxies) in our live environment . The secondary server has stopped syncing to the primary for over a month. 

I have also created a 3rd secondary ADFS server I wanted to use for testing and I get this error message (trying to do a sync) when I run through the ADFS 2 Wizard.  

DNS is correct, the service account is correct and has read permissions on the certificate, the server has Rollup3 installed, time is correct and network settings. It's also not a firewall or basic network communications issues either.

I did update our Token Signing and Decrypting certificates recently which might be causing this issue but if it is I'm not sure why as all our RP Trusts are working fine.

Any help would be appreciated.

Many Thanks

Hi all,

I am looking for a way to directly create e-mail enabled universal security groups from the "Active Directory Users and Computers" console. If I create the group from the Exchange Console, it works fine.

I am also aware that as soon an universal security group is create in ADUC I can use Exchange Shell or Console to email enable the group.

The issue I am facing is that these groups should be create by 1st lvl employees - so I am looking for a way to handle it directly in ADUC, since they are already familiar with this console.

Hope someone has any nice ideas.

Thanks

Readed many articls about scripting enable "Manager can update membership list" of AD Group, also I wrote the scirpt, I think it should be fine to run.

after debuging, get access is denied during the last set-acl .

My Id have domain Subou(the group reside in) admin rights ,but not for all domain OUs.

I think the error because ,

1. get-acl contents many supper admin ids in.

2. when modified the acl in memeory, then set-acl re-write to group.  the problem is I don't have rights to write those supprer admins ids

infact, I just want to update, not willing to re-write back all acl.

Any solution for me ?  I think if run by enterprise admin, it should be work fine.

$GroupList="D:\Work\GroupNameList.txt"

$GUID = [System.Guid] 'bf9679c0-0de6-11d0-a285-00aa003049e2'
$SID  = (get-adgroup "AdminDL-Group Admin" -Properties SID).SID
$CTRL = [System.Security.AccessControl.AccessControlType]::Allow
$Rights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty
$inType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None
$Rule   = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($SID,$Rights,$CTRL,$GUID,$inType)




Get-Content $GroupList | %{
                                $acl= Get-Acl AD:$((Get-ADGroup $_ ).DistinguishedName)
                                $acl.AddAccessRule($Rule)
                                set-acl -aclobject $acl -Path AD:$((Get-ADGroup $_ ).DistinguishedName)
                           }

Set-Acl : Access is denied
At D:\work\UpdatingGroupManager.ps1:16 char:40
+                                 set-acl <<<<  -aclobject $acl -Path AD:$((Get-ADGroup $_ ).DistinguishedName)
    + CategoryInfo          : PermissionDenied: (CN=D4701R...S,DCC,DC=com:String) [Set-Acl], UnauthorizedAcce
   ssException
    + FullyQualifiedErrorId : ADProvider:SetSecurityDescriptor:AccessDenied,Microsoft.PowerShell.Commands.SetAclComman
   d

夏天