I have script and I need find users from AD by DistinguishedName

# Specify target OU.
$TargetOU = "ou=testi,ou=Users,ou=test"

# Read user sAMAccountNames from csv file (field labeled "Name").
Import-Csv -Path Users.csv | ForEach-Object {
    # Retrieve DN of User.
    $UserDN = (Get-ADUser -Identity $_.Name).distinguishedName

    # Move user to target OU.
    Move-ADObject -Identity $UserDN -TargetPath $TargetOU
}

I get the following error:

get-aduser : Cannot find an object with identity: 'test test' under: 'DC=test,DC=test'.

I have CSV file and there are names like "Testi Testi", if I put "Testi.testi", then it will work just fine. Problem is that we have accounts that have different logon names, than the actual DistinguishedName. Like username is "Marta.Kyll" and DistingushedName is "Marta-Kylie Kyll"

Hello everyone, I would appreciate your advice on how to remove traces of a recently demoted 2012 Std server.

Although the demotion appeared to go fine, there are still traces that are preventing the demotion of our last 2008 server.

-------------------------------------------------------------------------------

The Forest and Domain DNS infrastructure values are pointing to the retired server DC02, via ADSIEdit, DSQuery and LDP:

Value of: ForestDNS\DC=ForestDNSZone,DC=Mydomain,DC=com \ CN-Infrastructure:
 CN=NTDS Settings\0ADEL:9677ee9c-e0e5-4682-9774-b25a26956851,CN=DC02\0ADEL:b306569a-59c2-4f6e-9153-3a2dbfb2875f,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=Mydomain,DC=com
 
 Value of :  Domain DNS\DC=DomainDNSZne, DC=Mydomain, DC=com \ CN=Infrastruture:
 CN=NTDS Settings\0ADEL:9677ee9c-e0e5-4682-9774-b25a26956851,CN=DC02\0ADEL:b306569a-59c2-4f6e-9153-3a2dbfb2875f,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,DC=Mydomain,DC=com

-------------------------------------------------------------------------------

Attempts to update the value manually error out and the vbs script in the below article fails on line 11 char 5 when run in an elevated cmd prompt:

 ForestDNSZones or DomainDNSZones FSMO says “The role owner attribute could not be read”
 https://blogs.technet.microsoft.com/the_9z_by_chris_davis/2011/12/20/forestdnszones-or-domaindnszones-fsmo-says-the-role-owner-attribute-could-not-be-read/
  
 What has happened is the DC who held the FSMO Role Holder for your DomainDNSZones or your ForestDNSZones (or both) application partition isn’t there anymore.
 Someone deleted it, decommissioned it, basically it failed somewhere along the line but the DC owned one or more of your AD Integrated DNS Zones.
 The deleted DC can be seen in the mess above after cn=___ and in most cases this means someone had to do metadata cleanup and forcibly removed the server from AD.

-------------------------------------------------------------------------------

The standard FSMO roles are fine:

C:\Windows\system32>netdom /query fsmo
Schema master               GLDC01.Mydomain.com
Domain naming master        GLDC01.Mydomain.com
PDC                         GLDC01.Mydomain.com
RID pool manager            GLDC01.Mydomain.com
Infrastructure master       GLDC01.Mydomain.com
The command completed successfully.

-------------------------------------------------------------------------------

The server is not seen in ADSIEdit to delete when searching by site:

How to remove data in Active Directory after an unsuccessful domain controller demotion
https://support.microsoft.com/en-us/help/216498/how-to-remove-data-in-active-directory-after-an-unsuccessful-domain-co

Example:

select operation target: list sites

...returns 7 sites correctly

select operation target: select site 0
select operation target: list servers in site
Found 2 server(s) - DC01 not there

select operation target: select site 1
select operation target: list servers in site
Found 1 server(s) - DC01 not there..just the 2008 R2 server I wish to demote

-------------------------------------------------------------------------------

Dssite.msc

The retired 2012 server was seen with no NTDS settings attached.
Manually deleted and confirmed the replication to other DCs...it is removed.

Clean Up Server Metadata
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816907(v=ws.10)

-------------------------------------------------------------------------------

ADSIEdit and LDP confirm the incorrect value is still seen for the Forest and Domain DNZ application roles:

-------------------------------------------------------------------------------

FixFsmo.vbs script again fails at line 11 char 5

-------------------------------------------------------------------------------

Suggestions on how to clean up the metadata is greatly appreciated.
Goal: retire the 2008 R2 DC

Thank you!

Andy

Andy

Hi,

how to find the obsolete  computer accounts in a 2008R2 domain and how to remove those objects on monthly basis.

Is there any benefit we have if we remove the obsolete computer accounts ?

i went to AD domains and trusts and added domain abc@123 for example 

so now i can change the upn suffix for any users to be abc@123

when i create a new user the old domain is the one that comes first and i have to choose abc@123 from the drop list 

i think there is a way to make abc@123 appear first, anyone knows how?

Greetings,

We added a 2008R2 DC to our 2003 domain, which consists of two 2003R2 servers; we are planning to upgrade the domain once I am happy that things are stable.  Unfortunately I have had one reoccurring issue since the addition of the server.

Every day a handful of machines present the "The securitydatabase on the server does not have a computer account for this workstation trust relationship" - normally at the start of the day when a use first logs on.  This can be sorted by restarting the machine once or twice, but it's not ideal and can reoccur on the same machine.

I can find no associated errors on either the local machine nor domain controllers, so I'm starting to climb the walls figuring out the cause.  My gut instinct is that it's DHCP/DNS related, but I can't find anything wrong with the machine's records.

Any suggestions would be well received.

Hi 

Trying to setup NAS server with private IP address ( say 192.168.1.x).But it complains about not being able to reach the DNS server .

How can I create a rule or policy at server to allow private network "192.168.1.x".

Thanks

Hi all,

I'm facing an issue about "site mapping" of 2 of our workstations, teh 2 of mines...

I use different management consoles or shells from both of my 2 workstations to managing AD based applications, and for an unknown reason several of these tools have stop working for approximately 1 month. Example of these tools are Exchange Management Shell, Exchange Toolbox, CodeTwo Exchange Rules Pro.

When I attempt to use EMS : 

I have to specify the Exchange Server that I want to connect to.

When I use CodeTwo Exchange Rules Pro and I try to make rules based on OU, nothing happen whereas I should get a dialog box to browse AD.

When I run the command "nltest /dsgetsite" on these 2 workstations, I get :

"Cannot get the domain controller name : Status = 1919 0x77f ERROR_NO_SITENAME".

I tested this command on several other workstations in the same AD site and all is good.

Would you have an idea about this issue ?

Thank you.

Regards,

FXE

I want to protect my service account from accidental disable/enable from all users. To accomplish this task I tried to take help of DSACLS, However I am having difficulties to achieve this goal. Below command gives me error as mentioned below . Can someone assist me to resolve my issue

---------------------------------

C:\>DSACLS "CN=serv_test,CN=Users,DC=ID,DC=COM" /D "Domain Users:RPWP;userAccountControl;user" /I:T
user is specified as Inherited Object Type. /I:S must be present.
The parameter is incorrect.

The command failed to complete successfully.

-----------------------------------

My service Accounts resides in same OU's where normal User accounts resides. Implementing on whole OU will not be feasible for me as Service Desk people will not able to perform day-today operations for Normal users. Here my goal is to selectively identify all Service accounts scattered over multiple OU's and then implement this restriction. I am able to achieve this via GUI interface but I have more than 1500+ service accounts in my domain and its not feasible through GUI and I was looking for some kind of command line solution. 

Thanks

Gautam

I want to protect my service account from accidental disable/enable from all users. To accomplish this task I tried to take help of DSACLS, However I am having difficulties to achieve this goal. Below command gives me error as mentioned below . Can someone assist me to resolve my issue

On a new site we have created all of the clients get a logon server for a different site. B

In ADSS the subnet is setup and assigned to the correct site.

I looked through DNS and everything seems to be ok and the kerberos dns setting for the site is pointing to the correct dc

If I run nltest /dsgetsite it returns the wrong site

We planned and tested a migration from 2003 to 2012 R2, but unfortunately we hit the issue documented here despite being fully patched.  It was fine in the test environment but not in production.

In the hopes of circumventing this issue we have decided to upgrade to 2008 R2 and then 2012 R2.  After demoting the 2012 R2 server we are left with a 2003 domain with a 2012 R2 schema.

I understand that schemas are backwards compatible, so can I simply skip 2008's adprep and crack on as usual?

I know Microsoft do not support "graft and prune" as a migration strategy, but could it work as a short term solution if the 2 private networks are split and no longer communicate? If the splitting company takes its local Forest Root DCs, cuts communications with the parent company, and forces one of those root DCs to take on the FSMO roles, could it then remove all other child domains except its own and operate independently blissfully unaware that the other company is also running the same forest name and IDs on its own network (minus the child domain that is splitting)?

Windows 2008 R2 throughout, no Exchange servers to worry about, DNS is all run off UNIX. The child domains have always been run locally in each country, its just they have been part of the same forest. A migration to a new forest is not feasible in the near term, but will be the natural goal when resources can be decommissioned and other dependencies removed to vastly simply the task.

It doesn't matter that it is a "dirty" solution, but could it work?

Thanks in advance.

Our domain is win.reed.edu. At the login screen, new/reinstalled computers show "WIN" (whereas the established computers show "REED.EDU"). Attempts to login give "The user name or password is incorrect". Even if I try win.reed.edu\username, reed.edu\username or username@win.reed.edu. 

gpudate on these computers works fine.

We are not using imaging.

The latest computer I'm troubleshooting this issue on was running Windows 10 Enterprise (and logged in just fine) but I reinstalled it with Windows 10 Enterprise LTSB

I have tried:

• Rejoining the domain (including removing and adding back to the proper OU)
• Turning off the local Windows firewall
• Double checked DNS IPs and flushed cache
• Set 'Append these DNS suffixes' to reed.edu and win.reed.edu

We are primarily a Mac campus with little Windows server expertise, so I'd appreciate even obvious suggestions. Thank you in advance!

I noticed this error showing up in my Directory Service logs, and I've done some research and ran some commands. When I run repadmin /showrepl or repadmin /replsum, I don't see any replication errors. I ran dcdiag /e to get a little more info, and saw some warnings regarding sysvol, however, the only sysvol errors I see in the logs are regarding pausing for backup.

I ran repadmin /showvector /latency and got the output below. It lists two Domain Controllers that were demoted and removed in February of this year. They were replaced with new Domain Controllers with the same names. I'm not sure if this is part of the issue.

C:\Windows\system32>repadmin /showvector /latency DC=domainname,DC=internal
Caching GUIDs.
..
60412fcd-4cd5-4915-b3fe-ed02f2dfed21 @ USN  28281794 @ Time 2018-02-05 12:32:25
Default-First-Site-Name\ONPREM-DC1 (deleted DSA) @ USN  28362837 @ Time 2018-02-07 0
7:24:11
Default-First-Site-Name\ONPREM-DC2 (deleted DSA) @ USN  30001827 @ Time 2018-02-27 0
7:34:47
CLOUD\CLOUD-DC1                       @ USN   2370332 @ Time 2018-07-11 12:48:51
CLOUD\CLOUD-DC2                       @ USN   1757081 @ Time 2018-07-11 12:50:46
Default-First-Site-Name\ONPREM-DC3       @ USN  34359214 @ Time 2018-07-11 12:52:00
Default-First-Site-Name\ONPREM-DC2       @ USN   8066825 @ Time 2018-07-11 12:52:05
Default-First-Site-Name\ONPREM-DC1       @ USN  10051172 @ Time 2018-07-11 12:52:08

The top line of this output from 2018-02-05 is from a failed attempt to demote ONPREM-DC1 due to protection of accidental deleting. The wizard rolled back the changes successfully and the host was successfully demoted on 2018-02-07.

----------------------------------------------------------------------------------------

Below is the dcdiag output:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = onprem-dc1

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\ONPREM-DC3

      Starting test: Connectivity

         ......................... ONPREM-DC3 passed test Connectivity

   
   Testing server: CLOUD\CLOUD-DC1

      Starting test: Connectivity

         ......................... CLOUD-DC1 passed test Connectivity

   
   Testing server: CLOUD\CLOUD-DC2

      Starting test: Connectivity

         ......................... CLOUD-DC2 passed test Connectivity

   
   Testing server: Default-First-Site-Name\ONPREM-DC1

      Starting test: Connectivity

         ......................... ONPREM-DC1 passed test Connectivity

   
   Testing server: Default-First-Site-Name\ONPREM-DC2

      Starting test: Connectivity

         ......................... ONPREM-DC2 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\ONPREM-DC3

      Starting test: Advertising

         ......................... ONPREM-DC3 passed test Advertising

      Starting test: FrsEvent

         ......................... ONPREM-DC3 passed test FrsEvent

      Starting test: DFSREvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... ONPREM-DC3 failed test DFSREvent

      Starting test: SysVolCheck

         ......................... ONPREM-DC3 passed test SysVolCheck

      Starting test: KccEvent

         ......................... ONPREM-DC3 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... ONPREM-DC3 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... ONPREM-DC3 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... ONPREM-DC3 passed test NCSecDesc

      Starting test: NetLogons

         ......................... ONPREM-DC3 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... ONPREM-DC3 passed test ObjectsReplicated

      Starting test: Replications

         ......................... ONPREM-DC3 passed test Replications

      Starting test: RidManager

         ......................... ONPREM-DC3 passed test RidManager

      Starting test: Services

         ......................... ONPREM-DC3 passed test Services

      Starting test: SystemLog

         ......................... ONPREM-DC3 passed test SystemLog

      Starting test: VerifyReferences

         ......................... ONPREM-DC3 passed test VerifyReferences

   
   Testing server: CLOUD\CLOUD-DC1

      Starting test: Advertising

         ......................... CLOUD-DC1 passed test Advertising

      Starting test: FrsEvent

         ......................... CLOUD-DC1 passed test FrsEvent

      Starting test: DFSREvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... CLOUD-DC1 failed test DFSREvent

      Starting test: SysVolCheck

         ......................... CLOUD-DC1 passed test SysVolCheck

      Starting test: KccEvent

         ......................... CLOUD-DC1 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... CLOUD-DC1 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... CLOUD-DC1 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... CLOUD-DC1 passed test NCSecDesc

      Starting test: NetLogons

         ......................... CLOUD-DC1 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... CLOUD-DC1 passed test ObjectsReplicated

      Starting test: Replications

         ......................... CLOUD-DC1 passed test Replications

      Starting test: RidManager

         ......................... CLOUD-DC1 passed test RidManager

      Starting test: Services

         ......................... CLOUD-DC1 passed test Services

      Starting test: SystemLog

         ......................... CLOUD-DC1 passed test SystemLog

      Starting test: VerifyReferences

         ......................... CLOUD-DC1 passed test VerifyReferences

   
   Testing server: CLOUD\CLOUD-DC2

      Starting test: Advertising

         ......................... CLOUD-DC2 passed test Advertising

      Starting test: FrsEvent

         ......................... CLOUD-DC2 passed test FrsEvent

      Starting test: DFSREvent

         ......................... CLOUD-DC2 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... CLOUD-DC2 passed test SysVolCheck

      Starting test: KccEvent

         ......................... CLOUD-DC2 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... CLOUD-DC2 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... CLOUD-DC2 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... CLOUD-DC2 passed test NCSecDesc

      Starting test: NetLogons

         ......................... CLOUD-DC2 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... CLOUD-DC2 passed test ObjectsReplicated

      Starting test: Replications

         ......................... CLOUD-DC2 passed test Replications

      Starting test: RidManager

         ......................... CLOUD-DC2 passed test RidManager

      Starting test: Services

         ......................... CLOUD-DC2 passed test Services

      Starting test: SystemLog

         ......................... CLOUD-DC2 passed test SystemLog

      Starting test: VerifyReferences

         ......................... CLOUD-DC2 passed test VerifyReferences

   
   Testing server: Default-First-Site-Name\ONPREM-DC1

      Starting test: Advertising

         ......................... ONPREM-DC1 passed test Advertising

      Starting test: FrsEvent

         ......................... ONPREM-DC1 passed test FrsEvent

      Starting test: DFSREvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... ONPREM-DC1 failed test DFSREvent

      Starting test: SysVolCheck

         ......................... ONPREM-DC1 passed test SysVolCheck

      Starting test: KccEvent

         ......................... ONPREM-DC1 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... ONPREM-DC1 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... ONPREM-DC1 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... ONPREM-DC1 passed test NCSecDesc

      Starting test: NetLogons

         ......................... ONPREM-DC1 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... ONPREM-DC1 passed test ObjectsReplicated

      Starting test: Replications

         ......................... ONPREM-DC1 passed test Replications

      Starting test: RidManager

         ......................... ONPREM-DC1 passed test RidManager

      Starting test: Services

         ......................... ONPREM-DC1 passed test Services

      Starting test: SystemLog

         ......................... ONPREM-DC1 passed test SystemLog

      Starting test: VerifyReferences

         ......................... ONPREM-DC1 passed test VerifyReferences

   
   Testing server: Default-First-Site-Name\ONPREM-DC2

      Starting test: Advertising

         ......................... ONPREM-DC2 passed test Advertising

      Starting test: FrsEvent

         ......................... ONPREM-DC2 passed test FrsEvent

      Starting test: DFSREvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... ONPREM-DC2 failed test DFSREvent

      Starting test: SysVolCheck

         ......................... ONPREM-DC2 passed test SysVolCheck

      Starting test: KccEvent

         ......................... ONPREM-DC2 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... ONPREM-DC2 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... ONPREM-DC2 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... ONPREM-DC2 passed test NCSecDesc

      Starting test: NetLogons

         ......................... ONPREM-DC2 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... ONPREM-DC2 passed test ObjectsReplicated

      Starting test: Replications

         ......................... ONPREM-DC2 passed test Replications

      Starting test: RidManager

         ......................... ONPREM-DC2 passed test RidManager

      Starting test: Services

         ......................... ONPREM-DC2 passed test Services

      Starting test: SystemLog

         ......................... ONPREM-DC2 passed test SystemLog

      Starting test: VerifyReferences

         ......................... ONPREM-DC2 passed test VerifyReferences

   
   
   
   
   
   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : domainname

      Starting test: CheckSDRefDom

         ......................... domainname passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... domainname passed test CrossRefValidation

   
   Running enterprise tests on : domainname.internal

      Starting test: LocatorCheck

         ......................... domainname.internal passed test LocatorCheck

      Starting test: Intersite

         Doing intersite inbound replication test on site

         Default-First-Site-Name:
         Doing intersite inbound replication test on site CLOUD:
         ......................... domainname.internal passed test Intersite

Active Directory "User must change password at next logon" takes 2 log off's before prompts for password change.

How do i set it that it forces the user to change password after 1 log off? 

Hello,

I'm getting ready to do an FRS to DFSR migration. My new domain controllers are now on Server 2012 R2 and I've raised the functional level to it. When I run a dcdiag /e /c I see the following errors:

Can anyone give me some insight on how to fix this before I proceed with the migration? Thanks.

Über Random

Hi All,

A few questions regarding gMSA's. I've created the KDS Root Key and the AD Schema was already at a Server 2016 level (DC is on a Windows 2012 server). But checking AD, I do not have a Managed Service Accounts container, is this something that is created automatically? Or should I add it via ADSIEdit. 

Also, running the command below always asks me to specify a location to create it. If I create the account in any container other than the Manager Service Accounts container, does that create and issue? Or is it ok? 

New-ADServiceAccount -name $serviceaccountname -DNSHostName <dns-host-name> -PrincipalsAllowedToRetrieveManagedPassword <group>

I've added a -Path statement to the command, but didn't want to run in just in case the accounts need to be in the specified folder.

Thanks in advance

 I am planning to migrate Root Ent CA from Windows 2008 to Windows 2012 R2. This root <g class="gr_ gr_107 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" data-gr-id="107" id="107">cersrv</g> is issuing the certificates to server and computers. CDP/CRL and AIA setting stay as default. I read a few kb articles about migration, basically backup the <g class="gr_ gr_505 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="505" id="505">CA ,</g> registry and restore them in the new server. I do not find any information about <g class="gr_ gr_739 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" data-gr-id="739" id="739">CDP</g>/CRL contents etc during the migration.

Are they being moved with databse backup?

We are planning to migrate windows 2008 R2 root CA to Windows 2012. We have a basic configuration in which CDP and AIA are pointing to the default location. The migration procedure is basically backup and restores as per some articles.

How are the contents of the CDP and AIA  moved? Does the database backup contain the CDP and AIA?