Hello all,

First, the question:  Is there a way to exclude/isolate a particular computer from a cross-forest trust?

Now, the details:

I am working on a project to decommission an acquired domain.  Part of this is to change a user account in the acquired domain (we'll call it Domain2) that is hard-coded on developer computers to a new user in the primary domain (Domain1). The same Domain2\user is hard-coded on all developer boxes.  The computers themselves have already been migrated to Domain1.

Once I change the Domain2\user to the new Domain1\user on one machine, I need to be able to test functionality and see if I missed anythingwithout taking all of the developers down (hence, I can't just sever the trust, test, and add it back).  The ideal way I can think of - if possible - is to exclude a particular computer from partaking in the trust between Domain1 and Domain2. 

Does anyone know of a way to do this?  I was considering making fake hosts entries on the computer to "blackhole" all of the Domain2 DCs, but not sure if that would work.

Any ideas would be greatly appreciated.

Cheers!

Hello Everyone,

I am battling a pair of domain controllers that are not playing nice with each other. They are the only two DCs in the domain and they are separate sites. I am at my wits end. Please help me. I have the two DCs configured as DNS servers as well as two SOPHOS UTM 9 machines at both ends of the connection that are configured as DNS servers as well. I have some errors that show in DCDIAG and in a couple of tests as well. Below are the results of DCDIAG and REPADMIN /REPLSUM.

THIS is the PDC.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\nfielding>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = PDC2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Administration\PDC2
      Starting test: Connectivity
         ......................... PDC2 passed test Connectivity

Doing primary tests

   Testing server: Administration\PDC2
      Starting test: Advertising
         ......................... PDC2 passed test Advertising
      Starting test: FrsEvent
         ......................... PDC2 passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... PDC2 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... PDC2 passed test SysVolCheck
      Starting test: KccEvent
         A warning event occurred.  EventID: 0x8000061E
            Time Generated: 08/04/2016   16:15:45
            Event String:
            All directory servers in the following site that can replicate the d
irectory partition over this transport are currently unavailable.
         An error event occurred.  EventID: 0xC000051F
            Time Generated: 08/04/2016   16:15:45
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with t
he following directory partition.
         A warning event occurred.  EventID: 0x80000749
            Time Generated: 08/04/2016   16:15:45
            Event String:
            The Knowledge Consistency Checker (KCC) was unable to form a complet
e spanning tree network topology. As a result, the following list of sites canno
t be reached from the local site.
         A warning event occurred.  EventID: 0x8000061E
            Time Generated: 08/04/2016   16:15:45
            Event String:
            All directory servers in the following site that can replicate the d
irectory partition over this transport are currently unavailable.
         An error event occurred.  EventID: 0xC000051F
            Time Generated: 08/04/2016   16:15:45
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with t
he following directory partition.
         A warning event occurred.  EventID: 0x80000749
            Time Generated: 08/04/2016   16:15:45
            Event String:
            The Knowledge Consistency Checker (KCC) was unable to form a complet
e spanning tree network topology. As a result, the following list of sites canno
t be reached from the local site.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 08/04/2016   16:15:45
            Event String:
            The attempt to establish a replication link for the following writab
le directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 08/04/2016   16:15:46
            Event String:
            The attempt to establish a replication link for the following writab
le directory partition failed.
         A warning event occurred.  EventID: 0x80000785
            Time Generated: 08/04/2016   16:15:47
            Event String:
            The attempt to establish a replication link for the following writab
le directory partition failed.
         ......................... PDC2 failed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... PDC2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... PDC2 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ypt-nsn,DC=gov
         ......................... PDC2 failed test NCSecDesc
      Starting test: NetLogons
         ......................... PDC2 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... PDC2 passed test ObjectsReplicated
      Starting test: Replications
         ......................... PDC2 passed test Replications
      Starting test: RidManager
         ......................... PDC2 passed test RidManager
      Starting test: Services
         ......................... PDC2 passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x00001695
            Time Generated: 08/04/2016   16:10:51
            Event String:
            Dynamic registration or deletion of one or more DNS records associat
ed with DNS domain 'ypt-nsn.gov.' failed.  These records are used by other compu
ters to locate this server as a domain controller (if the specified domain is an
 Active Directory domain) or as an LDAP server (if the specified domain is an ap
plication partition).
         A warning event occurred.  EventID: 0x00001695
            Time Generated: 08/04/2016   16:10:51
            Event String:
            Dynamic registration or deletion of one or more DNS records associat
ed with DNS domain 'ForestDnsZones.ypt-nsn.gov.' failed.  These records are used
 by other computers to locate this server as a domain controller (if the specifi
ed domain is an Active Directory domain) or as an LDAP server (if the specified
domain is an application partition).
         A warning event occurred.  EventID: 0x00001695
            Time Generated: 08/04/2016   16:10:51
            Event String:
            Dynamic registration or deletion of one or more DNS records associat
ed with DNS domain 'DomainDnsZones.ypt-nsn.gov.' failed.  These records are used
 by other computers to locate this server as a domain controller (if the specifi
ed domain is an Active Directory domain) or as an LDAP server (if the specified
domain is an application partition).
         ......................... PDC2 passed test SystemLog
      Starting test: VerifyReferences
         ......................... PDC2 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : ypt-nsn
      Starting test: CheckSDRefDom
         ......................... ypt-nsn passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ypt-nsn passed test CrossRefValidation

   Running enterprise tests on : ypt-nsn.gov
      Starting test: LocatorCheck
         ......................... ypt-nsn.gov passed test LocatorCheck
      Starting test: Intersite
         ......................... ypt-nsn.gov passed test Intersite

C:\Users\nfielding>

Here is the REPADMIN /REPLSUM for the PDC as well

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\nfielding>repadmin /replsum
Replication Summary Start Time: 2016-08-04 16:27:56

Beginning data collection for replication summary, this may take awhile:
  .....

Source DSA          largest delta    fails/total %%   error

Destination DSA     largest delta    fails/total %%   error

Experienced the following operational errors trying to retrieve replication info
rmation:
          58 - 3a108ae5-5337-4af9-911a-c04c6e5910e4._msdcs.ypt-nsn.gov

C:\Users\nfielding>

The ID above is the BDC

Hello,

I have a requirement to apply the Accept Messages from permission on few of the distribution groups, but the ask is if the organizational structure is having few nested distribution groups as the members. How can we make sure that the permission shall be applied to the nested groups as well.

Scenario Example-

Distribution Group A - Can accept messages from AA User

Distribution Group B(Its a member of Distribution Group A) - Can accept messages from BB User

When, we send message to Distribution Group A from AA user, it won't be delivered to members of Distribution Group B even if it is a member of Distribution Group A.

Regards,
Manuj Khurana

Hi all,

I am looking for a way to directly create e-mail enabled universal security groups from the "Active Directory Users and Computers" console. If I create the group from the Exchange Console, it works fine.

I am also aware that as soon an universal security group is create in ADUC I can use Exchange Shell or Console to email enable the group.

The issue I am facing is that these groups should be create by 1st lvl employees - so I am looking for a way to handle it directly in ADUC, since they are already familiar with this console.

Hope someone has any nice ideas.

Thanks

Hi all,

trying to get event IDs 4729 and 4728 to log so then we can monitor changes to security groups in AD but after configuration we're still not seeing them. I have double checked group policy settings and permission based settings as shown on the following article: https://www.itsupportguides.com/server-side-tips/active-directory-logging-changes-to-groups/

Can anyone suggest another policy that could be disabling the function?

Thanks. 

I have my AD on windows 2012 r2. The users are using windows 10. The local pc has 'domain admin' in the local administrators group. I created a test user who only a member of 'domain users'. This test user and press windows + R for the run box, and is allowed to run to folders on other servers. I have a real user that is a member of the following - domain admin, enterprise admin, admin, domain user, yet he cant do the windows + R shortcut. I have moved both users to have the same thing but whatever I do the real user cant have any privileges, yet the test user can do what he wants no matter what privileges I give him. 

The GPO for UAC was enabled, I have disabled it, no matter what I do it doesn't work. 

Any ideas? anyone else having similar issue? 

and yes it is on the domain. 

Hi Techies,

I am unable to Windows 2012 R2 promote RODC getting below error.

I have Windows 2003 Functional level and all domain controllers are having Windows 2008 r2 OS.  

Schema Version is 56 = Windows Server 2012

My below FSMO roles network structure 

All FSMO having communication. 

But the server which i am promoting is in external DMZ and i am having connectivity only to PDC and RID Pool master.

Do i need to have connectivity to all FSMO server, if yes then which ports and whether unidirectional or bidirectional

Even I have done RODCPREP on Schema master server

D:\support\adprep\adprep /rodcprep

Then left for one day for replication, even though I am getting above mentioned error.

DNS does not have any issue as i am able to do nslookup and telnet is happening on 53 port.

Please help me to resolve this issue.

With Regards, Raviraj Nagenhatti - System Administrator

Hi Team,

Please let us know what is the Best Practice to install / Promote Domain Controller in Existing Domain or Forest, Windows 2008 / 2012 server.

I have a below doubt while promoting DC in existing Domain or Forest.

1) Which ports should be opened 

2) While promoting any additional domain controller in Domain, which FSMO servers does contact the promoting server, whether all 5 fsmo role should have connectivity to promoting DC.

3) Prerequisites when we try to install the Additional Domain controller in different subnets.

4) Does DC to DC require bidirectional port to be opened, IF YES then which all ports should be opened.

5) Which all ports should be opened from Client machines to Domain controllers , unidirectional or bidirectional

6) Creating Site and subnet in Active directory Sites and Services

Please help.

With Regards, Raviraj Nagenhatti - System Administrator

I am standing up AD LDS environment in a Test Forest.  I am following the Cisco's White Paper on installing for Cisco UCM

https://supportforums.cisco.com/document/63136/how-configure-unified-communication-manager-directory-integration-multi-forest#Import_the_Users_from_AD_DC_to_AD_LDS

I am stuck on the section for importing users from AD to AD LDS using ADAMSYNC.  The command I am using is ADAMSync /sync localhost:389 "dc=cisco,dc=com" /log C:\Logfiles\sync.log.

In my Sync.Log I have, the errors below.  I have run the ADAMSync twice, both times with the same errors as below.

This the Sync.Log from my second run, it shows that an active sync is in progress.  Do I just need to be patient and wait??

HI Experts

I want to be clear on my below concern...

I want to restore one security group with help of Quest recovery manager server.

Group is old more than TSL around 6 month back.

What will happened if I restore that old group using quest recoery manager.

Will this group will become lingering object even if I restore group as authoriative restore?

I am attempting to stand up AD LDS in our Test Environment.  I am following the Cisco White Paper for Cisco UCM.

 I am the point where I am importing users from AD to AD LDS.  I have run the ADAMSYNC command, my sync log says that it connected and finished.  Yet, when I connect to the my instance, I do not see any objects from my Test Domain.

Do I need to use LDIFDE first to import my OU's and Users and then use ADAMSYNC for updates?

Chris

The error message I'm seeing is "The security database on the server does not have a computer account for this workstation trust relationship." There's nothing wrong with the trust relationship and I have removed a computer from the domain, deleted the AD account, and re-added it to the domain successfully and I still get the same message but only when I am trying to change my password. Below are all the things I have tried unsuccessfully:

• Removed the computer account from the domain, deleted the account, and re-added the computer to the domain.
• Tested with domain admin account.
• Tried changing my password logged in directly into a domain controller.
• Issue occurs both on manual password change or forced password change.
• Copied existing account and tried changing the password.
• Created brand new (not copied) account in AD and tried changing the password.
• Tried resetting password on multiple computers.
• Removing Windows updates mentioned online that may cause this issue.

The only things that have worked are:

• Changing a local user account's password.
• Changing a domain account password via AD Users and Computers.

Our workstations are Windows 7 SP1 and our servers are Windows 2008 R2 SP1.

Christopher

I have a few AD service accounts that no one know what are they for and where they are using for? Is there anyway I can find out a service account last activity or last authentication?

I prefer a tool, a CMD, I am really GREEN with PS or VBS :(

Well, I can disable it and see who screams - Last resource!

Thank you

Thang Mo

Dear all,

Notice: I am NOT trained into IT admin - I learn as needed via Google :/

I work remotely from my work place - actually across a large ocean - and consequently there is a huge latency (ping 200 to 350ms) between my home office and the company's domain manager.

The company (small business) is running a SBS2008 server which serves as exchange server, domain controller and file server. I am the only employee (so far) working abroad.

To secure the link between my home network and the main office, the IT manager and I have implemented an openVPN tunnel via a pFsense machine as firewall at each end.

It works - AD authentication etc are fine, but due to the latency + SMB2, it is extremely painful to work on the network shares ; operations like right-clicks, save-as and documents openings take at least 10 to 15 seconds, sometimes up to a minute. Sometime, by the time a document opens I have literally forgotten why I opened it! :-)

I have tried using Windows (W7pro and W10pro) built-in offline files to address these problems, i.e. work on local copies to avoid the latency issue and let offline files synchronize things in the background...but 

a/ Offline files mechanism do not work well "by themselves", you have to constantly switch manually between offline and online if you are for instance collaborating with somebody on the other end on the same document 

b/ There isn't a single day without some synch errors - sometimes a lot. 

On the other hand, I have been using dropbox as well (outside of the network shares) and this work beautifully - i.e. when collaborating with somebody at the other end the synch between the two copies of a document was easily maintained within a couple of seconds generally, sometime 30 seconds for larger changes (and of course longer if I needed to U/L or D/L a large file or folder for the first time).

The IT admin and I have already looked into all the optimisation trick for the VPN liaison itself, and the ping results are not visibly different when going through the tunnel  or outside. I believe the issue really lies within the innards of SMB2 (Wireshark shows a lot of back-and-forth). I guess Dropbox uses other protocols/means that are not impacted so much by the latency.

Anybody know whether the Domain controller and/or file server could be configured to use a faster protocol in this context?

Alternatively, are there other tools than "offline files" to maintain local copies? Dropbox is appealing, but not compatible from what I know with preserving the AD permissions etc... 

I've read about having a "mirror" file server here (i.e. the remote location), but this would need a new SBS license which sound overkill for just me!

THX for any advice.

We have a situation where additional domain controller and a few member systems of the domain are offline for more than 6 months. All are running on 2008 R2 OS. Now what problems will occur if I power on the additional domain controller, other member servers & how can I resolve the issues?

Can I increase the lifetime on Primary DC and then power on additional DC, member servers?

Hello all,

I have a strange issue regarding authenticating to a recently installed Windows 2012 R2 RODC.  After successfully promoting the server and ensuring that ALL active directory users AND computer accounts were added to the "Allowed RODC Password Replication Group", certain PCs in that group still fail to find and authenticate this with server.  Note, this is the only DC at the site.

Upon closer inspection and reviewing the Advanced settings of the Password Replication Policy on this particular server, I noticed that in the "Accounts that have been authenticated to this Read-only Domain Controller" list, two or three computers that continue to give me issues are not listed here yet ARE correctly listed in the "Accounts whose passwords are stored on his Read-only Domain Controller" so I am really stumped as to why these few computers repeatedly fail to find the local DC.

Is there anywhere I can check?  I'm reluctant to remove the problem PCs from the domain and re-add them in fear that they will not even find the domain when I try to join them again.  

Any assistance regarding this issue would be appreciated.

I have 2 Ad 2012 .both of us has dns integrated with domain

i chnage dns in one to secendry and suddenly the folder in forward lookup zones for my domain dont show up and hind. i cant see it.

when i create a new zone for my domain and gite it dns data bade in system32\dns\mydomain.dns

i cant other record 

please help me 

Cant run services with UPN in different forest-- Getting Access Denied

but services can run fine with Domainname\Samaccountname format.

MCSE Certified

Dear Sir,

I am getting the below error on Domain Controller, please help to resolve it..