Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

We have moved machines from domain Alpha to domain Omega (mock names).  Anyway, we removed the windows 10 computers from the domain to a workgroup, restarted the PCs Win 10), joined them to the new domain, 'Omega'.  They join fine.  Users logon and it seems good.  However, they cannot map drives to the file server 'Data' on the domain.

Also, on the machines, that have the issue, when they ping the DC or file server, it is appending the old domain to the response.  There is only one DNS server currently in the new domain being set up.  Roughly half of the users have no issues and can map drives and surf the web.  The other half has a problem mapping drives, locating local devices and can surf the external internet sites.

I'm not seeing anything on the DNS side.  One machine effected, I have looked at the registry and found several keys referring to the old domain lingering.  I removed them and fixed the ping issue.

Ideas on a course of action?
Rowby Goren Makes an Impact on Screen and Online
LVL 13
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

I'm planning on replacing my "Domain Controller Authentication" template with "Kerberos Authentication" for domain controllers.  The ADCs are currently configured for auto-enrollment.  I've put "Domain Controller Authentication" template in the Supersedence tab on the "Kerberos Authentication" certificate template, configured that domain controllers will auto-enroll and published the new template.

My question is do I leave the old "Domain Controller Authentication" template published or should I remove it from Certificate Templates?
Hi, I need to transfer Active Directory roles from a server with Windows Server 2003 to another server with Windows Server 2003 R2.
Basically I am following this:

I completed step 1 (transfer Schema Master Role).
I cannot complete step 2 (transfer Domain Naming Master Roles).
The error I get is:

The transfer of the operation master role cannot be performed because: The requested FMSO operation failed. The current FSMO holder could not be reached"

This is the output of dcdiag:

C:\Documents and Settings\Administrator.COMPANY>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site\SERVER2
      Starting test: Connectivity
         ......................... SERVER2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site\SERVER2
      Starting test: Replications
         ......................... SERVER2 passed test Replications
      Starting test: NCSecDesc
         ......................... SERVER2 passed test NCSecDesc
      Starting test: NetLogons
         ......................... SERVER2 passed test NetLogons
      Starting test: Advertising
         ......................... SERVER2 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... SERVER2 passed test 

Open in new window

I have a CSV file with an "email" column. This won't necessarily match a UPN of an AD user, but it should be contained in the proxyAddresses attribute of a user in AD. If not, then I'm looking to get that reported into a variable/separate list if possible.  
It appears I can get all the users in AD where "$proxyAddress -contains $" but I can't reverse and do a -notcontains.  
Is there any idea how I can achieve this
I am trying to disable switch account feature and one drive in word document

I can do this through registry change

is there any group policy from active directory side I can do
we have on premise AD and users are synced through AAD sync.
we have mailboxes in office 365, there is no exchange on premise servers

we have ADFS server as well

we have Airwatch configured on I phone. I just wanted to know how mail flow works through office 365 in Airwatch app on phone

what is the authentication flow for mobile mail.

like how Airwatch talks to office 365 and gets email on phone

I just need simple explanation

1) we need to have Airwatch account in office 365 after that how AD and 365 works?
Hello IT people 😁
I need to build a data center. from servers point of view, how to do or what is the best practice for the followings:
1- for the DHCP I Need the setup to be HA or Cluster.
2-for WSUS I Need the setup to be Cluster.
3-for  SMTP I Need the setup to be HA.
4- for MYSQL DB I Need the setup to HA with Sync.
5-For NTP I Need the setup to be HA or Cluster.
6-For AD please note that's required to moving FSMO, maybe TLS needed, trust configuration between Server Farm and DMZ domains if used and GPO for all Systems.

feel free to ask any questions to help me 😅

are there any risks migrating the fsmo role from a 2008R2 DC to a 2016 DC? Is it possible to do that during our business hours?

Thank you in advance!

I have a very old scenario with two active domain controller:

server: Windows 2000
server2: Windows 2003 R2

I need to shutdown server Windows 2000. Before this, I need to make sure that every role is transferred to server2.
How can I do this?
I used command "netdom" to query the current state of roles,  but it seems it is not present in Windows 2003.
Thank you!
Environment:  Exchange 2013, AD Forest Functional Level 2008R2

We're doing a cleanup of old user accounts (no login before 2019).  In ADUC, we're deleting the user objects but we discovered that the corresponding Exchange mailbox is being deleted as well; we were under the impression that the disconnected mailbox is retained for 30 days before being purged.

So, a couple of questions/concerns:
1) What is the deletion procedure for only the AD account?

2) Where in EAC is the post-deletion retention policy configured?

Thanks for any help!
C++ 11 Fundamentals
LVL 13
C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

Hi im looking to  adding registry keys via a GPO but am having mixed results.

I've created a .bat file and added to the startup script on the user configuration profile, but its creating some mixed results.

It applies in full on some PC's but sporadic on others.

Any ideas

Content of batch file

reg add HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Identity /v Version /t REG_DWORD /d 1
reg add HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Identity /v EnableADAL /t REG_DWORD /d 1
reg add HKEY_CURRENT_USER\Software\Microsoft\Exchange /v AlwaysUseMSOAuthForAutodiscover /t REG_DWORD /d 1
I am looking for some guidance  to create unique OID . I am not sure whether it is already in place.
How do I find out?
A user have two aliases and I would like to remove one of them. Is that possible?
I think I have managed to do it before, but I am not sure.

Set-MsolDirSyncEnabled -EnableDirSync $false

Waited some Hours then...

Set-Mailbox -EmailAddresses @{remove=" "}
"WARNING: The command completed successfully but no settings of '<user name>' have been modified."

It was not possible to remove this address?

I need to remove the end users from the local administrators group on all workstations. For a select group of users, they would need to remain as local admins on their machine. I currently have 1 OU that holds all workstations.  

I see that there are two ways of removing users from admin group. Either using restricted groups gpo or group policy preferences. I dont see much of a difference between the two approaches. In either case it would seem that I would have to create two separate OU's , one for computers that dont have end users in local admin group and the other would have computers not linked to any gpo of this type.  Is this correct? What would be the best approach to this?

Thank you.
I nned a Powershel lscript to help me get all 2008 servers that are currently disabled in AD and export the list to a csv file with Server name  and OS name ver
For Exchange online, how do I change the primary SMTP for all email accounts including resources, shared mailboxes to ""  and have a secondary domain to be "" in bulk using Powershell?
When trying to get Bitlocker key saved to the Azure AD, I sometimes get this:

Can't sign in to your Microsoft Account
You need to be signed in to Windows with a Microsoft
account to save your recovery key. Sign out and then
sign in with a Microsoft account or go to
Settings and choose Accounts to change your
existing account.

This doesn't make sense to me. The user is signed in to his "Work or School" account which appears to register him with not only the Microsoft 365 apps etc. but also registers him and the laptop on the Azure Active Directory for the organisation. Under "Devices" in the AD his device appears with correct name.

It's only when attempting to save the BL key to the AD that we have this issue.

Is there perhaps another way to get the user signed in to the domain account but without having to tell Windows that the laptop is an organisation's laptop?

Confused of Berkshire!

I am not professional in windows server. I have question and I hope someone can help me. I have active directory installed on windows server 2012. All computers are connected to the AD. Now any user can login to any computer. I want the user when login to any computer to see his folders and files. How I can do that?

Any help will be appreciated

Hi, I use Manage Engine Desktop Central to patch servers and pc's. I need to completely disable all Windows updates on my Windows 10 Enterprise Version 1809.  Anyone know how to do this with group policy?
Ensure Business Longevity with As-A-Service
Ensure Business Longevity with As-A-Service

Using the as-a-service approach for your business model allows you to grow your revenue stream with new practice areas, without forcing you to part ways with existing clients just because they don’t fit the mold of your new service offerings.

Will setting a new server 2016 I made it a workgroup instead of a domain.
How can I change it into its new domain?

Looking for some advice. We are working with an outside software vendor they will be connecting into the network via VPN and need to RDP into 2 servers. I can restrict the access from the VPN to the server but once they are on the server they can RDP to other machines on the network. The AD user service account I created to provide to the vendor has local admin rights on the 2 servers they need to RDP into so I can't reliably block it at the firewall.

Is there a way to restrict the "Log on to" to allow RDP access from any system (even a non-domain system) to the specified servers?

I tried to follow this article but have a special question.

When I want to define the permissions for a folder in each users AppData Folder, can
I use a  a variable like "%AppData%\ProgramYYZ"?
I tried this, since we need to add a local Admin to such a folder, but noting happens.
I want to document DFS within an organisation, whats best way to do this?

I have good notes on AD, DHCP, DNS etc just looking for DFS

Environment is 2012 r2 environment

Found this

Any other ways appreciated
Hello All,

I am trying to remove an old SBS DC that is no longer online.  I was able to remove it from ADSS and ADUC but when I run the ntdsutil and clean the metadata I get the error in the attached file.  The new server is 2016 and it is the DC and holds all the operations masters and is the GC.  I can't remember if 2016 cleans up all metadata once the DC is removed from ADSS or not - I thought it did hence the reason I am getting the error???  I have also already manually removed everything from DNS for the old server.

Any suggestions if the metadata is still there.


I am configuring a new wireless system and I am preparing for the cut-over process.  The new Wireless has 'hidden ssids' and these SSIDs are different from the production SSID names on the older system.  

For example. the older WiFI used in production :
Employee Corporate WiFi = CWIFI
Guest WiFi = CGUEST
Corp. Printer WiFi = CPRINT

The new Wireless system has:
Employee Corporate WiFi = CWIFI-Test
Guest WiFi = CGUEST-Test
Corp. Printer WiFi = CPRINT-Test

I am planning to cut-over to the new system by turning off the older WiFi controllers and Access Points and then un-hide the new Wireless system SSIDs.  The plan is to use the same naming scheme in the new system that was used in the older system. Hopefully the users will not be confused.

With a few 'printers' and other 'devices' (not laptops) there was no need to 'forget' / 'Remove' the older SSID and then try to login via the new system; but, those specific SSIDs used a Pre-Shared Key(Corp. Printer).  I am wondering if the laptops will need to 'forget' the previous SSIDs in order to use the new system seamlessly?

The Employee WiFI is using 802.1X with RADIUS Servers using Network Policy Server registered in Active Directory.

The Guest WiFI is using a captive portal where the users wil be using a username/password.  

Any thoughts?

Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.