Hi All,

Good evening. 

I am new into this server management and learning the various concepts practically through VM ware workstation. 

Recently on VMware workstation, I had installed 2 OS [2012], 1 is DC1 & other is DC2. On DC1 configured as for AD roles through server manager roles and features followed by promoting them to Domain controller. Then on DC2, ADC configured by selecting To add new domain in existing domain. 

Just for testing i made , DC1 down & I found that over DC2 , dsa.msc stopped working & even sites and services also 

Please help what manual steps i need to follow so that DC2 start working fine even when DC1 is down. 

I would like to clarify the Microsoft postioning concerning the location of the privileged accounts and administrative workstations with the ESAE and Tier model approach.

• In one documentation found here, the privileged accounts and workstations are located inside the production forest:

• However, the link provided as a reference for MIM above the figure in the previous documentation (Privileged Identity Management for Active Directory Domain Services (AD DS)) put the administrative account for Jen(BASTION/Jen) in the forest dedicated to MIM (with PAM trust, thus SID history..., that's another story) to administer an HR database inside the production forest:

• To further complicate things, this document (https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations) mentions in a note : "If you have deployed an ESAE Administrative Forest (for Tier 0 admins in Phase 1) or a Microsoft Identity Manager (MIM) privileged access management (PAM) (for Tier 1 and 2 admins in Phase 2),you would join the PAW (the administration workstation) to the domain in that environment here instead of the production domain."

Can someone please confirm the location of the privileged accounts and administrative workstations with the ESAE and Tier model approach?

Hi everyone,

Hope you are all doing well! Have not been in this for a while after all other IT incidents... and hope you can help :)

Currently I have one Active Directory domain, which have 9 domain controllers. 4 of them are running 2008 r2, and the rest are running Windows 2012 (not r2). I am also the person to upgrade their 2003 server to 2008 server. But I am not sure if I did the"active directory update"...or is it called "schema upgrade"...please help to correct me if I use the wrong terms.

Right now, I try to speed up to get rid of the Windows 2008 domain controllers. Let's say, once I upgrade all the domain controllers to 2012. Is this something I can do, or I need to do to upgrade the active directory version, or schema..or whatever that is called?

How do I check what version I am at now?

Thank you for your help in advance.

Takami Chiro

How to run gpupdate /force on remote computer?

(Without psexec)

Hello Experts,

Our domain joined client computers (Windows7) not able to load user profile when a  user login to any domain joined workstations where his/her profile not present. the error message is as follows:-

The user profile service failed to logon.
User profile cannot be loaded

I am using windows 2008 domain controller and I have only 7 newly created GPOs for Driver Mapping.

This problem started 4 days on-wards, Please help to fix the issue as you always help us.

Regards,

Shanish 

Hello, 

Can someone please confirm if AD integrated DNS is also being replicated/included when Change Notification is enabled?

Thank you!

I noticed this error showing up in my Directory Service logs, and I've done some research and ran some commands. When I run repadmin /showrepl or repadmin /replsum, I don't see any replication errors. I ran dcdiag /e to get a little more info, and saw some warnings regarding sysvol, however, the only sysvol errors I see in the logs are regarding pausing for backup.

I ran repadmin /showvector /latency and got the output below. It lists two Domain Controllers that were demoted and removed in February of this year. They were replaced with new Domain Controllers with the same names. I'm not sure if this is part of the issue.

C:\Windows\system32>repadmin /showvector /latency DC=domainname,DC=internal
Caching GUIDs.
..
60412fcd-4cd5-4915-b3fe-ed02f2dfed21 @ USN  28281794 @ Time 2018-02-05 12:32:25
Default-First-Site-Name\ONPREM-DC1 (deleted DSA) @ USN  28362837 @ Time 2018-02-07 0
7:24:11
Default-First-Site-Name\ONPREM-DC2 (deleted DSA) @ USN  30001827 @ Time 2018-02-27 0
7:34:47
CLOUD\CLOUD-DC1                       @ USN   2370332 @ Time 2018-07-11 12:48:51
CLOUD\CLOUD-DC2                       @ USN   1757081 @ Time 2018-07-11 12:50:46
Default-First-Site-Name\ONPREM-DC3       @ USN  34359214 @ Time 2018-07-11 12:52:00
Default-First-Site-Name\ONPREM-DC2       @ USN   8066825 @ Time 2018-07-11 12:52:05
Default-First-Site-Name\ONPREM-DC1       @ USN  10051172 @ Time 2018-07-11 12:52:08

The top line of this output from 2018-02-05 is from a failed attempt to demote ONPREM-DC1 due to protection of accidental deleting. The wizard rolled back the changes successfully and the host was successfully demoted on 2018-02-07.

----------------------------------------------------------------------------------------

Below is the dcdiag output:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = onprem-dc1

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\ONPREM-DC3

      Starting test: Connectivity

         ......................... ONPREM-DC3 passed test Connectivity

   
   Testing server: CLOUD\CLOUD-DC1

      Starting test: Connectivity

         ......................... CLOUD-DC1 passed test Connectivity

   
   Testing server: CLOUD\CLOUD-DC2

      Starting test: Connectivity

         ......................... CLOUD-DC2 passed test Connectivity

   
   Testing server: Default-First-Site-Name\ONPREM-DC1

      Starting test: Connectivity

         ......................... ONPREM-DC1 passed test Connectivity

   
   Testing server: Default-First-Site-Name\ONPREM-DC2

      Starting test: Connectivity

         ......................... ONPREM-DC2 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\ONPREM-DC3

      Starting test: Advertising

         ......................... ONPREM-DC3 passed test Advertising

      Starting test: FrsEvent

         ......................... ONPREM-DC3 passed test FrsEvent

      Starting test: DFSREvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... ONPREM-DC3 failed test DFSREvent

      Starting test: SysVolCheck

         ......................... ONPREM-DC3 passed test SysVolCheck

      Starting test: KccEvent

         ......................... ONPREM-DC3 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... ONPREM-DC3 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... ONPREM-DC3 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... ONPREM-DC3 passed test NCSecDesc

      Starting test: NetLogons

         ......................... ONPREM-DC3 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... ONPREM-DC3 passed test ObjectsReplicated

      Starting test: Replications

         ......................... ONPREM-DC3 passed test Replications

      Starting test: RidManager

         ......................... ONPREM-DC3 passed test RidManager

      Starting test: Services

         ......................... ONPREM-DC3 passed test Services

      Starting test: SystemLog

         ......................... ONPREM-DC3 passed test SystemLog

      Starting test: VerifyReferences

         ......................... ONPREM-DC3 passed test VerifyReferences

   
   Testing server: CLOUD\CLOUD-DC1

      Starting test: Advertising

         ......................... CLOUD-DC1 passed test Advertising

      Starting test: FrsEvent

         ......................... CLOUD-DC1 passed test FrsEvent

      Starting test: DFSREvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... CLOUD-DC1 failed test DFSREvent

      Starting test: SysVolCheck

         ......................... CLOUD-DC1 passed test SysVolCheck

      Starting test: KccEvent

         ......................... CLOUD-DC1 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... CLOUD-DC1 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... CLOUD-DC1 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... CLOUD-DC1 passed test NCSecDesc

      Starting test: NetLogons

         ......................... CLOUD-DC1 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... CLOUD-DC1 passed test ObjectsReplicated

      Starting test: Replications

         ......................... CLOUD-DC1 passed test Replications

      Starting test: RidManager

         ......................... CLOUD-DC1 passed test RidManager

      Starting test: Services

         ......................... CLOUD-DC1 passed test Services

      Starting test: SystemLog

         ......................... CLOUD-DC1 passed test SystemLog

      Starting test: VerifyReferences

         ......................... CLOUD-DC1 passed test VerifyReferences

   
   Testing server: CLOUD\CLOUD-DC2

      Starting test: Advertising

         ......................... CLOUD-DC2 passed test Advertising

      Starting test: FrsEvent

         ......................... CLOUD-DC2 passed test FrsEvent

      Starting test: DFSREvent

         ......................... CLOUD-DC2 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... CLOUD-DC2 passed test SysVolCheck

      Starting test: KccEvent

         ......................... CLOUD-DC2 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... CLOUD-DC2 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... CLOUD-DC2 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... CLOUD-DC2 passed test NCSecDesc

      Starting test: NetLogons

         ......................... CLOUD-DC2 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... CLOUD-DC2 passed test ObjectsReplicated

      Starting test: Replications

         ......................... CLOUD-DC2 passed test Replications

      Starting test: RidManager

         ......................... CLOUD-DC2 passed test RidManager

      Starting test: Services

         ......................... CLOUD-DC2 passed test Services

      Starting test: SystemLog

         ......................... CLOUD-DC2 passed test SystemLog

      Starting test: VerifyReferences

         ......................... CLOUD-DC2 passed test VerifyReferences

   
   Testing server: Default-First-Site-Name\ONPREM-DC1

      Starting test: Advertising

         ......................... ONPREM-DC1 passed test Advertising

      Starting test: FrsEvent

         ......................... ONPREM-DC1 passed test FrsEvent

      Starting test: DFSREvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... ONPREM-DC1 failed test DFSREvent

      Starting test: SysVolCheck

         ......................... ONPREM-DC1 passed test SysVolCheck

      Starting test: KccEvent

         ......................... ONPREM-DC1 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... ONPREM-DC1 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... ONPREM-DC1 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... ONPREM-DC1 passed test NCSecDesc

      Starting test: NetLogons

         ......................... ONPREM-DC1 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... ONPREM-DC1 passed test ObjectsReplicated

      Starting test: Replications

         ......................... ONPREM-DC1 passed test Replications

      Starting test: RidManager

         ......................... ONPREM-DC1 passed test RidManager

      Starting test: Services

         ......................... ONPREM-DC1 passed test Services

      Starting test: SystemLog

         ......................... ONPREM-DC1 passed test SystemLog

      Starting test: VerifyReferences

         ......................... ONPREM-DC1 passed test VerifyReferences

   
   Testing server: Default-First-Site-Name\ONPREM-DC2

      Starting test: Advertising

         ......................... ONPREM-DC2 passed test Advertising

      Starting test: FrsEvent

         ......................... ONPREM-DC2 passed test FrsEvent

      Starting test: DFSREvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... ONPREM-DC2 failed test DFSREvent

      Starting test: SysVolCheck

         ......................... ONPREM-DC2 passed test SysVolCheck

      Starting test: KccEvent

         ......................... ONPREM-DC2 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... ONPREM-DC2 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... ONPREM-DC2 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... ONPREM-DC2 passed test NCSecDesc

      Starting test: NetLogons

         ......................... ONPREM-DC2 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... ONPREM-DC2 passed test ObjectsReplicated

      Starting test: Replications

         ......................... ONPREM-DC2 passed test Replications

      Starting test: RidManager

         ......................... ONPREM-DC2 passed test RidManager

      Starting test: Services

         ......................... ONPREM-DC2 passed test Services

      Starting test: SystemLog

         ......................... ONPREM-DC2 passed test SystemLog

      Starting test: VerifyReferences

         ......................... ONPREM-DC2 passed test VerifyReferences

   
   
   
   
   
   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : domainname

      Starting test: CheckSDRefDom

         ......................... domainname passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... domainname passed test CrossRefValidation

   
   Running enterprise tests on : domainname.internal

      Starting test: LocatorCheck

         ......................... domainname.internal passed test LocatorCheck

      Starting test: Intersite

         Doing intersite inbound replication test on site

         Default-First-Site-Name:
         Doing intersite inbound replication test on site CLOUD:
         ......................... domainname.internal passed test Intersite

Our SEIM is reporting a disabled domain account is attempting to authenticate and failing. On a daily basis this is occurring over 1000 times. In the security event log for the server each attempt shows id 4625 :

An account failed to log on.

Subject:
Security ID: SYSTEM
Account Name: ComputerName$
Account Domain:OUR DOMAIN
Logon ID: 0x3E7

Logon Type:3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Disabled Domain Account
Account Domain:OUR DOMAIN

Failure Information:
Failure Reason:Account currently disabled.
Status: 0xC000006E
Sub Status: 0xC0000072

Process Information:
Caller Process ID:0x254
Caller Process Name:C:\Windows\System32\lsass.exe

Network Information:
Workstation Name:SameComputerNameAsAbove
Source Network Address:192.168.xxx.xxx
Source Port: 65473

Detailed Authentication Information:
Logon Process:Advapi  
Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services:-
Package Name (NTLM only):-
Key Length: 0

What could be the source of these attempts? I think it has to do with cached credentials but cmdkey shows no cached credentials.  I see the login type is network, but how does that correlate to the other indicators showing it is the local machine as the source of the attempt?

thanks,

I'm looking to grant the following permissions to the "Deleted Objects" container in AD for JUST child computer objects:

• List the child objects of the object
• Read a property
• Write to a property

Normally I'd just open up ADUC, pull up advanced security permissions, and then set the permissions for descendant computer objects, but the "Deleted Objects" container isn't exposed in ADUC. Does anyone know of a good tutorial for making this modification?

zarberg@gmail.com

We want to enable LDAPS on our domain controllers. The third-party CA wants the request file to include the following  things

E-Mail address
Common Name
Organizational Unit
Locality (City)
State/Province
Country

Also, the Hash Algorithm should be at least SHA256, so should I include the line:

HashAlgorithm = SHA256 in the inf file?

We are trying to capture replication events with the DS Access auditing, specifically:

DS-Replication-Get-Changes    
Extended right needed to replicate changes from a given NC.
Object GUID: {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}

and

DS-Replication-Get-Changes-All    
Control access right that allows the replication of secret domain data.
Object GUID: {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}

We've found that these GUIDs show up in the 4662 events for Directory Service Access.  I've turned on that option in the advanced auditing policy, but the odd things is that I have a 2008R2 DC that will log the Get-Changes event every hour, but a 2012R2 DC in the same domain with the same policy never seems to log anything.  Is there something I'm missing with being able to capture this?  Searching has been lacking, as most all of the 4662 references are tied to looking for modifications to user/group objects, but nothing related to replication. I know that advanced auditing has specific categories for replication, but we're focusing on those two GUIDs that only seem to show up in the 4662 events.

Hello,

Searching about, I found some things regarding partial replication in RODC via Filtered Attribute Set.

This can also be applied to ADDC?

I need only some OUs to be replicated. It is possible?

I have created Windows server VM through Google Cloud to perform my SQL Server activity

I have installed AD DS and Failover Clustering Features on it

Post that, I need to " Promote this Server as Domain Controller " while doing it , please advise for below points

1- What domain name shall select?

2- Then, I am getting error for Password, I have selected all possible complex password still its not completing prerequisite

Hi,

I have reset user AD password in AD computer since its got expired. After user is not able to login into his machine using new password,its still allowing old password. Please note that its synced with office365 email. Please let me know what would be the issue?

Thanks in advance,

Ramaiah C

Hi,

This is our environment:

- 2008 R2 AD forest

- 2016 Exchange 

- Application servers running IIS and SQL Server(2005 to latest) and other applications.

- Member servers running several different OS : Server 2003, XP to server 2016.

Our organization is currently evaluating two paths to upgrade AD(side-by-side/not in-place) : 1) 2008 r2 directly to 2016 AD and 2) 2008 R2 to 2012 R2 and eventually to 2016. 

Please share you opinion on the below:

What will be the impact on exchange(2016) if we upgrade to 2012 R2 instead of 2016?

Will there be any impact on applications after AD upgrade due to schema changes?

Is upgrading to 2012 R2 safer path compared to 2016 directly or vise versa?

Hi, 

I am following the guide (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/rodc/install-a-windows-server-2012-active-directory-read-only-domain-controller--rodc---level-200-#stage-rodc-workflow)  to install 2 RODC servers in our DMZ. 

All setup goes ok, until I reach the Attach stage, then I get error on both systems 'The wizard cannot access the list of domains in the forest.  The network path was not found. 

I can ping the Default gateway, Nslookup sees the Primary Domain Controller, I have flushed the dns, but always the system fails with the above error.  Also, always fails is Dfsrdiag command. 

Adding the A record in DNS did not fix either. 

Help please?  Thanks 

hi,

If am changing the password of AD, I can login the exchange owa by both old and new passwords.

Please help and let me know why it happen?

Thanks with Regards

Ajeesh

Hi All,

I am planning to transfer FSMO roles from DC 2008 to new DC server 2016, i want to use same IP address of existing 2008 DC on New DC 2016, is it possible that after i transferred the roles to new DC, can i shutdown old DC and use the same IP address on new DC 2016? because all users are using DC 2008 in preferred DNS and have Static IP address so it is difficult for me to change for 100s of users.

Regards,

Agha

In the past we have found that users could only log into PCs if they were a local admin for that PC.  To work around that we made a group policy that adds the domain users to the "Administrators" group on every client PC.  This is of course not good practice since as well as allowing users to do what ever they want on the PCs it also makes the more vulnerable to malware attacks.

I have recently being trying to get this working properly.  To test I remove the policy from a PC then log in as local admin and make sure "Domain Users" is removed from the Local "Administrators" group.

I then try logging in as various users.  About half of the accounts log in fine and the other half come up with "The Group Policy Client service failed the logon: Access is Denied."

I have found that doing the following for a given account fixes that account for all PCs:

1. Delete any local copy of the user's profile from the test PC (and the relevant registry entry in "Profile_List".)
2. Amend the name of the server copy of the users profile with "OLD".
3. Log in to the test PC as the user then log out. (which creates a new profile)
4. Delete the server copy of the new profile and remove "OLD" from the original.

You would not expect this to do much since you are just replacing the new profile with the original one but this fixes it every time.  Once this is done for a user's account they can log into any PC without being a local admin.  However if the user was still logged in to anther PC during the fix, when they log out it breaks it again.

I can only assume this process does something to the actual account since the profile itself is not changed but I cannot work out what!

Doing this for 150+ users does not seem feasible so I'm really hoping to find the route cause.

Our DC is running Server 2008 R2 and is the only DC on the network.