Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

I have one PDC server 2008R2 (D2R03Q02)  holding all FSMO roles and a second PDC server 2012R2 (PowerT130) who is not replicating any more since more than a month.

on PDC1 the command repadmin /showrepl shows no erros
on PDC2 the command repadmin /showrepl contains several errors

the netdom query FSMO shows all roles on PDC D2R03Q02

Connectivity: I can ping both servers

If I try to transfer FSMO to the second PDC PowerT130 I get the  ERROR The current Operations master is offline. The role cannot be transferred.
But the PDC D2R03Q02 is up and running and I can ping it from the second PDC.

Dcdiag show many errors and warnings on both PDC

Errors related to Ldap for example

or warnings like :

Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355

Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed,
error 1355
A Good Time Server could not be located.

I attached The complet Dcdiag report dcdia.txt

DNSLINT command look good

DNSLint Report

System Date: Fri Jul 20 23:42:26 2018

Command run:

dnslint /ad /s /v

 Root of Active Directory Forest:

Active Directory Forest Replication GUIDs Found:
DC: D2R03Q02
GUID: 1a3677e0-7a77-413b-b70d-f0ede03ff7af

Cloud Class® Course: CompTIA Healthcare IT Tech
LVL 12
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

I tried to force a replication between replication partners using Sites and Services logged in as a domain admin because an account that had been created earlier had not replicated. I see event ID 4 under the system event log. We are running Server 2008R2. All DC are in the same domain but are in different locations. I attached the error.
I have a powershell script that queries user's password expiration within AD and emails the user that their password is going to expire. The script looks at the email field for the user object to determine where to send it. We're using Azure AD Connect and syncing with O365, all is working well for my user accounts. My issue is with admin accounts in AD. I'd like to email the admins too. However, their email address is taken already for their user account so, I receive export errors from O365 back to AD if I populate the admins email field with their user email address. I tried to use a distribution list for the admin email field but, this doesn't seem to work either. Does anyone know of way to get this to work without having to assign an O365 license to the admin account?
I have two 2012 domain controllers (Prometheus and Chronos), and both the Domain and Functional Level are at Windows Server 2003.  We've migrated from Windows 2000 to 2003 domain many years ago.  Everything has been working fine, and have not seen any errors with AD or replication, and we have not experiences any issues DNS or communications issues with our on-prem Exchange 2010 server.

All of our computers are Windows 10 Pro Computers.

So, I decided to view Active Directory Sites and Services, and discovered an DC (Nemesis) is still listed under server, but should not be there.  I believe it was a former DC and was properly demoted many years back.

Nemesis - Sites and Services
So, I am not sure whether I should simply delete it.  I do not want to start having AD issues.  

So, I also decided to check DNS.  As you can see below within the forward lookup zones (.msdcs.ch13.local and ch13.local) Nemesis appears a name server.  The ch13.local\_msdcs only showing this server (Nemesis), and not the other servers (Prometheus or Chronos) does not appear to be correct.

DNS View
So, I don't know whether I need to delete "Nemesis" Server within Sites and Services and also the entries within DNS.  Not sure doing so will actually cause damage and not help.  Remember, AD and DNS have been working fine with no issues/errors for many years.

Below I added the output for Repadmin /Showrepl and DCDiag with details including DNs.



I am applying group policy on windows 10 users, I applied policy to map share drive on users logon and preferences, so its not working and even not showing in GP result but the same script and policy is working on computer configuration. May i know what could be the issue?

I need to pull some information from AD using powershell.

I need

fName, lName, fullName, emailAddress, IPphone number, OU

anyone have a script I can borrow that will pull that to a CSV File?

I performed a migration of AD FS from a 2.0 to 2016 system, both using WID. I performed a side by side install, exported the config from the old and imported from the new. The Federation Farm name is the same for both and my cut over was a success.

I want to decommission the old 2.0 system, but because of my process their share the same Farm GUID in AD, so I cannot clean up as articles suggest. I am hesitant to uninstall the product and WID database only because I am not sure if it will talk to AD and i cant risk the 2016 system having an issue.

My thought was to simply to remove the server from the domain and shut them down. I know it is not the clean way but seems the safest way. Anyone have any other suggestions? Thanks.
Hi Experts,

Have a question on Outlook 2016 - I'm running in cached mode and have a question about the slider for "Mail to keep offline"

When I set the bar to 1 year for example, the message that is displayed at the end of that one year "Click here to view more on Microsoft Exchange" is removed.  When I remove from cached mode and set the slider, the message appears.  

Is this default behavior, anyway to get this message to appear while in cached mode?

We have setup WPAD for proxy settings for our internal and external users. I need to know how to deploy the  url to all users for the section on each laptop under Proxy, Automatic Detect Settings, then Script address. So the address that needs to be there is like

We are going to increase our GPO PW policy from 7 characters to 8.  I'm wondering if this will force users to change their PW straight away?

Computer Configuration (Enabled)hide
Windows Settingshide
Security Settingshide
Account Policies/Password Policyhide
Policy Setting
Enforce password history 5 passwords remembered
Maximum password age 30 days
Minimum password age 0 days
Minimum password length 7 characters
Password must meet complexity requirements Enabled

Ultimate Tool Kit for Technology Solution Provider
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Hi Experts,
What is the best way to allow domain users to install software on domain computer.
Please help on this,
I'm using windows server 2016.
We are about to go production. Before going i need to know about this. Since  software engineers need to install many software of RND . So every time IT admin cannot install the software. In order to get rid of this type of situation I  need the answer for this.
It will be great if any one can help me on this.
Hi All,

Got a weird one with group policy. We have a client who has a couple of folder redirection policies set up and even though they are set identical to each other why is the redirection path different as we cannot see why it would be doing this. Any ideas?

AD Connect - Re-install Question

Hi All,

Just wondering if anyone has any experience with re-installing AD Connect. It was installed quite a while ago and some of the options that are there in the install now as far as I am aware were not available when it was first installed.

This option we need '(User Identities Exist Across Multiple Directories) - ObjectSID and msExchMasterAccountSID ' is not able to be changed retrospectively from what I can tell.

Therefore I believe a reinstall is our only option get this option selected.

I'm just wondering if I can simply install this over the top of the existing install?

I noticed there is a SQL database and I have read about the option to 'use existing database - install mode' however this looks like it defaults to express mode which is no good for us as I need to select these advanced features.

Any help would be greatly appreciated.

Our our ADFS 3.0 server our Global SSOLifetime is set to 480 Minutes and our test relaying party trust is set to 15, At the global level I do see that persistenct is enabled with  lifetime of 10,080 minutes. OUr test relaying party is not prompting users each time they access it. Is this because persistence is enabled or the fact our SSO Lifetime is set to 480 minutes?
I am displaying users and file system rights in a list box using C#. It's a desktop application. My current code looks like this:
private void GetFileUsers(string filename)
FileSecurity security = File.GetAccessControl(filename);
AuthorizationRuleCollection acl = security.GetAccessRules(true, true, typeof(System.Security.Prinicpal.NTAccount));

foreach (FileSystemAccessRule ace in acl)
	string ruleValue = ace.IdentityReference.Value;
		lstSelectedFilePerms.Items.Add(string.Format("{0} - {1}", ace.IdentityReference.Value, ace.FileSystemRights.Equals(FileSystemRights.FullControl) ? "Read,Write" : 		ace.FileSystemRights.ToString()));


Open in new window

It shows users in a list looking like this:
ABC\john.smith - Read, Write, Synchronize
ABC\mike.jones - Read, Synchronize

I want to do 2 things. Remove the doman and slash, so it just shows the name. And remove Synchronize. Synchronize displays whenever I assign read or write. But I do not wnat to display it. I've got help in similar questions up here. Hoping for help with this one, too. Thank you.
We have users already in our local Active Directory (Windows 2012 R2)

They also have Gsuite accounts with Google, primarily for email but we are using Google Apps more and more.

Is there a way of syncing existing AD accounts with existing Gsuite accounts? For example if they had the same 'mail' attribute.

It seems as though Google Cloud Directory Sync creates new Gsuite accounts after polling Active Directory.

I need to map existing AD accounts to existing Gsuite accounts.

Any advice would be greatly appreciated
Dear Wizards, when I run this script (ps1) to get all members from all Distribution Groups of our Exchange 2016 Server (Win2012R2)

$s = New-PSSession -ConfigurationName -ConnectionUri;
Import-PSSession $s;

$groupmember = foreach ($i in Get-DistributionGroup) {Get-DistributionGroupMember $i -ResultSize Unlimited | select Name, PrimarySMTPAddress,@{n='GroupName';e={$i.Name}} ,@{n='GroupSMTP';e={$i.PrimarySMTPaddress}} };
$groupmember | Export-Csv C:\_ListGroupmails.csv -NoTypeInformation;

Remove-Variable groupmember;
Remove-PSSession $s;

Open in new window

I got this error

Can you please help and suggest?  Many thanks as always!
We are trying to add any additional claim rule on one of our ADFS relaying party trust using the command below,  But keep getting the Powershell error Get-Content positional parameter cannot be found that accepts argument 'System.object"

set-adferelyingpartytrust  -name ABC -additionalauthenticationrule c:[Type == "", Value == "S-1-5-2xxxxxxxxxxxxxxx"] -and [Type ==  "", Value == "false"] -and [Type ==  "", Value == "true"] => issue(Type = "", Value = "");
I have a Windows 2011 SBS domain with multiple DC's -- fully updated, replicating properly, no other issues EXCEPT: implementing Group Policy to map network drives based on security groups (Item Level Targeting) using the REPLACE option; when using the REPLACE option (in order to overwrite existing maps) I get all 7 drives mapped even if the test is not true.  For example, mapping x: only if the user is a member of the security group ABC.  I get the drive mapping regardless of whether the user is or is not a member of ABC.  So in my situation, the test user ends up with 7 drives mapped but only should have 4.  

Does not affect user access rights, but provides confusion (what is drive x: ?, why do I have drive x: ?)  

I presume this behavior is because of using the REPLACE option but the others don't seem to do the job I need.  Domain is at 2008 functional level; Security Filtering is "authenticated users".  Other GPO's applying properly.  Any insights would be appreciated.
Cloud Class® Course: Microsoft Azure 2017
LVL 12
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

We deleted users never logged in from Server 2012 R2 AD and the Exchange 2013 shared mailboxes for the users were removed. This was inadvertent, as those users should not have been deleted (owner of the shared mailbox). How can we reverse this action? I know the mailboxes aren't actually deleted for 30 days but don't know what to do to get them back. I also can't recreate some of the shared mailboxes because Exchange complains the user exists... but it's actually deleted

Much thanks!!
We are running 2008 R2
I need to setup a way so that users when they are in the office get the proxy settings so they can get to the internet but when they are out of the office, the proxy settings are removed.
I have it setup now with GPO but cant seem to get it to remove the settings when the users logout and leave the office. It stays enabled and then they cant get to the internet until they come back into the office.
If any knows the best way to set this up, we really need to get this going?
Some have said to setup WPAD I think, but not sure and don't know anything about it.
Any help would be greatly appreciated.
Dear Experts

I have setup 389 directory server and created the OU, group and added users to group now want to make sugarcrm users to authenticate from 389 directory server for which I understand in the sugar document following to be provided at sugarcrm side
User DN:
Bind Attribute :
Login Attribute :
They have mentioned as below in their how to configuration document but this is related to active directory but I am looking same values for 389 directory, please find the below
Bind Attribute : Enter "userPrincipalName"
Note: This is what is used for the Active Directory and is case sensitive.
Login Attribute : Enter "sAMAccountName"  
Note: This is what is used for the Active Directory and is case sensitive
Please help me understand what Bind Attribute to be entered instead of userPrincipalName and also what Login Attribute to be entered instead of sAMAccountName  when I am using 389 directory server OR is it same values to be used please help me in this. thanks
We are using server 2012 . There already have one domain controller A in this child domain . After one more domain controller B added, we found this new domain controller does not have netlogon and sysvol in local share and GPO cannot be added. Then i noticed there have been replication problem with other child domains going and i resolved it . But the netlogon and sysvol still don't appear . I tried add one more new domain controller C and it is the same . I attached the screenshot of the event viewer after controller C prompted  . Please help me to resolve this thank you.
I have a domain controller where a GPO controls legacy audit settings.
For example, "Audit directory Service Access" is set to "Success, Failure".

However, when I run "auditpol /get /category:*", it says

 Directory Service Changes                    No Auditing
 Directory Service Replication                No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access                         No Auditing"

The GPO governing audit settings for this DC also has the following setting se to "Enabled"
"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings".

So it means that Directory Service Access is not enabled, right ?

What are the steps to set the Server 2016 firewall rules (via group policy) so that only certain IPs can access port 445 (file & printer sharing / SMB) on servers & workstations?

I need to make sure that only authorized workstations and servers are able to browse the C$ shares on the servers and workstations within my network.

Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software