Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

Dear Community,

We are using Exchange On premises in root domain and in child domains. In root domain we have migrated from Exchange 2010 to Exchange 2013.

while in child domains, we have Exchange 2010 SP3. Because of our organization structure - users get transferred to different geographical locations and resulting in Mailbox Migrations quite often.

Issue: Recently a user from our child domain (abc.root.com) is migrated to root domain (root.com) - in other words user from Exchange 2010 was migrated to Exchange 2013 with its Active Directory account and Exchange Mailbox.

Migrated User (alpha@root.com) can send/ receive emails without any issue but when an email is sent to a Distribution Group; migrated user (alpha@root.com) can not receive email.

I have checked effected user (alpha@root.com) Outlook rules but no luck. please suggest what else can be checked at Active Directory Level or Exchange Level. Thanks.
[Webinar] Database Backup and Recovery
LVL 11
[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Hi all,

We utilize Exchange 2013 and are trying to setup an iPad as a replacement for a laptop in the field. However, the one hurdle we are facing is how the user can reset their password when it expires through an iPad. We do not want them locked out when they are on the road and only have the iPad.

We have 4 Windows 2008 R2 domain controllers (DC), 2 at each site connected via firewalls. Can anyone tell us why they are trying to communicate over tcp/45003-45007 ports? The main service failing is lsass.exe. We cannot find any documentation from Microsoft stating that Active Directory should be using this port range. For compliance reasons we cannot open these ports without backup documentation. Can anyone help explain why all 4 of our DC’s are using these ports (45003-45007)?
Please, I have the following code and It's works fine :

strOutputFile = Left(WScript.ScriptFullName, Len(WScript.ScriptFullName) - 4) & ".csv"
Set objFSO = CreateObject("Scripting.FileSystemObject")
strLine =  """ou=Accounts,ou=Sales,ou=USA,dc=Dom,dc=local"",""DC1Serv.dom.local"""
If InStr(1, strLine, "DC=", vbTextCompare) > 0 And InStr(1, strLine, """,""", vbTextCompare) > 0 Then
             ' Search entire Active Directory domain.
            Set objRootDSE = GetObject("LDAP://RootDSE")      
            arrBits = Split(strLine, """,""")
            strOU = Mid(arrBits(0), 2)
            strDC = Left(arrBits(1), Len(arrBits(1)) - 1)
            strBase = "<LDAP://" & strDC & "/" & strOU & ">"

I want to add another OU to export the informations from two OUs of the same domain;


Please can you update the script to  export the informations from two OUs

Thank for your help;

Best regards,
I have 2 DC's running win 2008 32bit also Running DNS, DHCP with Domain Functional Level of Windows Server 2008.
I want to introduce a Windows Server 2012 as a DC and transfer the FSMO but I still want to keep running DNS and DHCP on th eolde 2008 32bit servers. ANY recommendation as of what steps should I take and should I also move DNS and DHCP to the new server?
Hi Experts,

Have an environment which has a single DC - 2008R2, Domain and Forest Functional Level were 2003 but were updated to 2008. Have added a 2016 server to domain but when trying to promote it run into errors. Also when trying to run adprep on 2008R2 DC from Win 2016 CD get error below, this is the Adprep log file. Anyone seen this before and if there is a solution?

Adprep created the log file 'C:\Windows\debug\adprep\logs\20180116131718\ADPrep.log'
Adprep successfully initialized global variables.
Adprep is continuing.
Adprep discovered the schema FSMO: SERVER.DOMAIN.COM.
Adprep connected to the schema FSMO: SERVER.DOMAIN.COM.
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
LDAP API ldap_search_s() finished, return code is 0x0
Adprep successfully retrieved information from the Active Directory Domain Services.
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=DOMAIN,DC=com.
LDAP API ldap_search_s finished, return code is 0x0
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is (null).
 Anyway l am trying to block the Default Domain Policy from the Server OU so that the a Configure Automatic Updates is GPO is disabled which is part of the Default Domain Policy.  I am not sure which will be the best way to do this out of these 2 options
1.       Block the Default Domain Policy from the Server OU and create a new Server Default Domain Policy with Configure Automatic Updates disabled  and re-apply all the other domain level GPO directly to the server OU
2.      Create a server security group put all the servers in the group and then block the Default Domain Policy

I would greatly appreciate your assistance with this matter
When installing Windows 10, you can join the computer to Azure AAD with the builtin functionality.
Is it possible to apply GPO's to these computers without having to use Intune or an on-premise AD controller ?
What about an Azure AD, connected to AAD... kan that handle GPO's to these computers ?
Or does the AD and computers have to be local ?
I am new here and wanted to give this a try :)

I have changed a customers domain name a couple of months ago. Everything seems to have worked, but now I was going to add a Group policy, and when I open the GPMC, I get a message that "The specified domain controller could not be contacted" and the domain name showed, is the old one, and no way to change to the new domain name. Where should I start?

Best Regards

we have a job every night turn on our active directory to create contacts without activate exchange contact.

so i need a script i can use with scheduled task to go in specific OU (included all sub OU) and activate exchange contact for all contact.

thanks for help
Industry Leaders: We Want Your Opinion!
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Due to security reason I dont want internet access in my domain controllers, I need help to know the best practices to disable internet in Domain Controllers.
Does PTA simply round-robin between each PTA Agent.  PTA does not do Deterministic Load Balancing, then what does it do?
I found an old Domain Controller that is no longer exist on our network via the attached "Active Directory Sites and Services"

Can I simply right click on the object (SRV-GC2) and delete it ?

There are two users in the organization
one user is windows 10 and office 365 - he cannot open his Outlook 2016.. he is getting this error " your mailbox has been temporarily moved...." (pic 1 ) . deleted the profile and added another one .. it seems to work.. but when i close outlook and go back in .. it is giving the same error. also repaired office 2016. still no luck . any ideas?
second user has windows 10 and office 2016 - he also had the above same error and when i deleted his profile and added another one. getting this error while setting  his mailbox -- "log onto exchange activesync mail server ....... cannot be found " (pic 2 ). i cannot setup his mailbox again.
any ideas as how to resolve this issue.
we host our exchange server 2010.
Dear experts,
When I run this command and at least 2 mailboxes are found  the result is an array...

$ArrSMList = get-mailbox | Get-MailboxPermission -user $strUser | ?  {($_.AccessRights -match "FullAccess") -and -not ($_.User -like "NT AUTHORITY\SELF")} | Get-user | Select DisplayName,SamaccountName,Identity

I may ask for $arrSMList.Count or even ($I = 0 to .count)
Write-Host "$ArrSMList[$I]" + $ArrSMList[$I].DisplayName

BUT when only ONE is found NO WAY, I can't access the .Count cause this is not an array...

I would like to have EVEN IF only 1 is found  as return an array.
How can I transform this to an array if ONLY ONE is found ?

I have the following issue; I updated a machine running three servers (PDC, BDC and RDS) from VMWare 5.5 tot 6.5. Update went okay; updated VMWare tools. Network uses VMXnet 3, so VMware tools updated the driver. After booting I needed to configure the network cards again (the Ip adres was gone, as was DNS settings, gateway etc.). Rebooted and everything seems fine. But clients since then have had issues where connecting to a share (shared through Group Policy) works, but after some time the system returns an error that the share is inaccecable because of failed authentication. I also use roaming profile settings; so the whole client gives error (desktop, setting etc. all become inavailable). When login in the shares are always correctly made. One exception being; i map the home directory through AD settings (user > profile) directly. This mapping doesn't work, without any clear error.

I checked a lot of things; a lot of error seemed to relate to group policy; so I reset the complete set; made several authorative restores; disconnected client from the domain, deleted local policy and added to domain again. Nothing helps structurally. So I'm hoping somebody can help point to the one thing I'm missing in this case.
I am switching to a new Windows domain and have a few remote employees that refuse to drive to the office, therefore I cannot switch them right now

How can I remove a computer from a domain without needing the "Domain Admin" or "Local Admin" login when doing the below step #3 since
 1. I will no longer have the domain by the time the remote employee is onsite and
 2. Employee will not let me do a VPN/etc to their laptop since it is not on and
 3. I do not remember what CACHED "Domain Admin" or "Local Admin" users might be on really OLD machine, therefore I cannot rely on an old CACHED account ?


 1. login to "Domain" controlled laptop that is not on my domain
 2. change to "WorkGroup"
 3. get prompted for "Domain Admin" or "Local Admin" login
 4. enter login
 5. reboot
 6. change works
I have two nodes and am creating failover cluster however while adding nodes I got error stating you do not have administrator privileges to the server “another node name out of two”.

Below are the step performed by me.
1.Created domain user account with member of domain admin also added the same account onto both nodes local admin group.
2. On AD front given read only and create object permissions to the same acccount on computers where computer accounts resides.
3. Logged in with the same account on both the nodes.
4. On both nodes in services checked remote registry and server service is running.
5. Also checked firewall is off on both the nodes.
6. At last removed the nodes from domain and rejoined but no luck.

Could any please help me in this?
We are running an exchange upgrade project (exchange 2007 - Exchange 2012), 1000 users in 4 different countries, single domain, single forest.
I need assistance to find out who’s account in AD is not inheriting permissions from the parent, so it will be good to find out permissions of accounts with Inheritance enabled, vs Inheritance disabled to work out whether the differences have any impact in our environment. So I guess a power shell script can report/output this kind of information?


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Hi Experts!!!!!
I have 100 number of Apple laptop, i need to manage the laptop using active directory Group policy. Is this is possible??
We have a WIndows 2016 server core RODC in our DMZ. The RODC restricted on which DC is can replicate with. REplication is working between the R/W DC and RODC. The event logs on the DC are flood with KCC errors. Some of which are for Site the RODC does not have access to. We have manual connection define but is there any way to stop these warning message like

Event ID 2847 or 2904
Hi All,

I recently had to rebuild a Windows Server 2k12R2 Server. Current Set-Up

2 x Windows Server 2k12R2

DC01 has all the FSMO roles
DC02 (before rebuilt) - kicked it off the domain, demoted the server
DC02 (rebuilt) - I gave it the same name and IP address as the one that I demoted.

  • I'm unable to replicate, when I do repadmin /syncall, it says that the RPC server is unavailable
  • I am able to ping the rebuilt DC02 by IP
  • I have attached a screen shot of dcdiag
  • It says no host record, but when I check the DNS manager of DC01 and DC02, I do see it
Looking for a simple way to setup a resource calendar where only a certain group of users require approval, but the rest do not. I  don't want to split the company into 2 seperate groups, I know that would solve it, but then I would have to continuously update  the group that represents 'everyone else'
We have a Windows 2011 SBS server.   We never used the Exchange built in but it appears that our Outlook 2013 on the Windows 7 desktops have an ost file setup and the old external pop3 email we used with a small ISP for email.
We are switching to Office 365 shared Exchange and getting rid of the pop3 email.  We have setup the users in Office 365 admin portal.  Have exported the Outlook pst files on the individual users Outlook 2013 desktops.  We uninstalled Office 2013 from the desktop.  Downloaded and installed Office 2016 from the Microsoft Office 365 portal.       when starting Outlook 2016 on the desktop it tries to connect to the ost file we never used on SBS server and also the old pop3 email.   Do we need to delete the user's Outlook Profile and create a new one?  How do we do that and will it cause a problem with the users internal network login?  Will Windows SBS server try to force internal use of the Exchange built into it?
Do we need to actual remove the user from active directory in the Windows SBS console or can we just delete the Outlook profile   As I understand it things need to be done in  the SBS console or it may affect the whole server and network
Hello experts,

I want to delegate access (for a group) to an attribute called userprincipalname, but this attribute does not show in delegate wizard in ADUC. How would I delegate/grant access.

Your assistance is appreciated.

Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software