Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

I need to have hands on knowledge of azure active directory, how it works with regard to hybrid migration

Manage Your Enterprise Applications with Azure AD  ( Is ADFS required here)

Azure AD Identity Protection and Privileged Access Management

Azure AD Connect Health

Accessing Your Organization’s Internal Applications via Azure AD App Proxy
Secure Your Identities with Azure Multi-Factor Authentication (MFA)

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Hello. I have an msi that I need to have installed on our computers via group policy. I am going to install it via gp but I would like to look for a way that it will run without admins needing to touch each pc in the policy or making the users have to run something themselves. Can someone provide a step by step to deploy this msi including any switches or scripts that would be needed. I am not a GP expert nor do I know how to script these out, just looking for the easiest and quickest way to install a outlook add-in msi on our user's computers. I realize we can do this through a user or computer policy so whichever way is easiest please let me know. Thanks for your help experts.

I'm not sure if this is possible but here's my situation:
We have several external users, that have Active Directory accounts set up on our domain to access an internal web app:  For the purpose of the posting I'll call our domain:  
Their primary email accounts reside on another domain:  (i.e.    I set them up with Active Directory accounts on our domain and associated their external email address to their AD account, 'MailUser' accounts.

My question is, when accessing owa with their AD account, they see a message: (and I believe this is expected behavior being the user is a MailUser and not a Mailbox User):

    "The Outlook Web App address is out of date."

Is there a way for me to set this MailUser account up to access the "" email address using outlook web app?  I'm thinking I already know the answer, which is No, because it's not a Mailbox user, but a MailUser and the 'Mailbox Features' such as Outlook Web App are not available to MailUser accounts.

Unless, someone has come up with a work-around, which is the reason for my post.

Thank you,
I am moving a customer from a 2003 server with AD installed to a NAS drive. There are only 3 computers that access it. In the past I have used the tool Profwiz to convert a domain account into a local account and vice versa. Is there a better way to do this? One thing I don't like about this tool is that all it really does is create a new account and redirect all the folders to the other accounts directories.

hello dears,
this is my first question so I beleive everyone will guide me on solving the issue.

Subdomains (child domains) objects Missing from Active Directory Users and Computers in the parent domain.

I have one parent domain ( name it domain_parent) with 2 DCs (DC1 and DC2)
and two child domains, each child domain has one DC (DC3 and DC4)

all are windows 2012 R2 servers

and all DCs in all domains are global catalog servers

the replication is OK, I can search all objects from all domains by using Active Directory administrative center, repadmin result stating that the replication was successful

I beleive that the issue is related to DNS, but i do not know where exactly, the DC1 has a primary DNS and child domains are active directory integrated.

from network properties, the DNS servers are set as follow:
DNS Server : the IP of itself
DNS Server1: the IP of DC3
DNS Server2: IP of DC1
DNS Server1: the IP of DC4
DNS Server2: IP of DC1

can anyone please guide me on what is the issue and how I can resolve it?

thank you

I'm using Exchange Server 2013 SP1 Standard Edition on my AD domain. My users are still using Public Folder extensively, however, sometimes I have found that notes that I leave on the business cards under clients in Public Folders disappear when they are revisited.

This is very frustrating because when other team members need information from these places, they are not completely up to date.
Can you please assist me in what steps can I troubleshoot this problem ?
We are running two DC's and have a user account that continues to get locked out of their primary system.  Netlogon debug shows the following:

07/23 22:47:43 [LOGON] [20080] xxx: SamLogon: Transitive Network logon of (null)\user from Rdesktop (via DC02) Entered
07/23 22:47:43 [LOGON] [20080] xxx: SamLogon: Transitive Network logon of (null)\user from Rdesktop (via DC02) Returns 0xC000006A
07/23 22:47:44 [LOGON] [34652] xxx: SamLogon: Transitive Network logon of (null)\user from Rdesktop (via DC02) Entered
07/23 22:47:44 [LOGON] [34652] xxx: SamLogon: Transitive Network logon of (null)\user from Rdesktop (via DC02) Returns 0xC000006A

Corresponding Event Viewer entries
The computer attempted to validate the credentials for an account.

Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:      user
Source Workstation:      Rdesktop
Error Code:      0xc000006a

I have removed the user account from the system and put back on and continue to get the error.
I have 1 forest with two DCs. Sysadmin added new one for our DR site. Since then we are facing issues in AD that all new objects are getting created in DR additional DC not default site DCs. In addition replication is so slow. Even though the site link is 100 MB Layer 2 network. So I dont have issue with speed.
I didnt work in Windows environment for a while. I created a lab simulating exist scenario and I realized that once I delete the subnets everything works fine. Do I really need to configure the DR DC in another site. since I dont have and WAN speed issue I can replicate in real time. ? So my question what will happen if I deleted subnets in my production environment the impact?
We migrated a company from On premise Exchange 2010 to Office365 and had DR Sync working. Everything went OK.
We then uninstalled old Exchange server (need to decommission  server from service, don't need it as we are on Cloud) and as soon as we did this we lost the ability to end outbound emails as they started to come in from instead of
So we dialed our Exchange Cloud consultant who says following and now it has me very concerned (as he contradicted to what he said before
1 - to fix the issue we have to create new profile. This is bad as we would have to re-download OST file again, and bandwidth is somewhat slow. We really need to fix on premise outlook without new profile.
2 - he says that if I migrate to the cloud but want to keep Dir Syn I must keep on premise Exchange (is that true? what is a point of migrating to the Cloud?)
so I can not have Office365 setup and have ON Premise DC talking to it without also maintaining local Exchange server?
We have a large AD environment and already in the process of moving to Office 365 and have a dedicated circuit in place just to handle all MS traffic. We would like to AD to VM in AZure that are running AD to extend our infrastructure to the cloud for DR purposes. I konw we have to plan out the Azure Network environment and also ensure all data stay within N.A geolocations but was wondering what other items we should consider. I am interest to hear freed back from others who are already doing this.
Salesforce Has Never Been Easier
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

What is the process to change the Server 2016 policy to allow users to logon even when domain controller can't be contacted?

All computers within this organization are attached to the domain and we need to make sure that the users are able to logon with their domain accounts even when the domain controller can't be contacted.
Hi Experts

I'm not sure I'm even going to use the correct terminology in this question. Please forgive me.

I want to query two different OUs on the same level. The queries below work independently but I need to combine them so that I end up with one recordset (which is sorted - but I know how to sort it).

1.   "<LDAP://OU=all staff,OU=birmingham office,DC=mertonhatfield,DC=local>;" & "(&(objectclass=user)(objectcategory=person));" & "name,title,distinguishedName,userPrincipalName;subtree"

2.  "<LDAP://OU=reception users,DC=mertonhatfield,DC=local>;" & "(&(objectclass=user)(objectcategory=person));" & "name,title,distinguishedName,userPrincipalName;subtree"

To clarify :

1.  mertonhatfield.local\birmingham office\all staff
2.  mertonhatfield.local\reception users

Please can you tell me how to combine the two?

Many thanks.
I have taken over the backup job. We have multi domain network, and each site has two Domain controllers. I run bare metal backup of DCs and this covers the system status. My understanding is that system status includes all AD object, schema partition, global catalogues etc.
I noticed that recent Exchange CUs update the schema every time when you apply. One day I may have to roll back incase anything goes wrong with schema.
1. If i do an authoritative restore at anyone of the DC (any site), Can I roll back to previous schema or I have to perform the restore at the server which hold FSMO not at any DC?
I would appreciate your comments and suggestions on this.
is it possible to get corresponding email attribute from object property of user

We have an internal windows active directory domain called We also have an external website called the same but it is hosted on an external cloud provider.

We have created a website on the cloud called This uses dynamic DNS.

I want to forward all DNS queries for to an external DNS server.

How do I do this?

We are using windows server 2008 (but the domain functional level is windows 2003)

I have 4 domain controllers and 3 of them are pointing to the fourth as the time server. I am taking this fourth server offline and need to move the time server to one of the other three.  How do I change the time server to another domain controller?
Hello I have been asked to set a new Active Directory Site from scratch to mirror a Domain with at least 8 other sub domains no migration will be taking place just the existing naming conventions taken and then set up the platform that I will be using is 2012 OS, I will be setting up a new DHCP, DNS, Cert server.etc. I would apprechieate any advice on how to start achieving this and any really good tools for making the transistion nice and easy.

I've got multiple Exchange Server 2013 running CAS role in my company domain.

AD Sites: Default-First-Site-Name [MBX & CAS role] --> To be decommissioned, no more mailbox running. [MBX & CAS role] --> newly built and operational.

AD Sites: Head Office [MBX role] --> Production. [MBX & CAS role] --> Production.

But when I browse to the Send Connectors section My domain Internet Email Connector click on Edit then Scoping:

Address Space:
Domain *
Cost 1

What is source server ? Do I need to add the other CAS server role here to send out email or all Exchange Server in my domain ?
Source Server:

Get-SendConnector -Identity "My domain Internet Email Connector" | fl

AddressSpaces                : {SMTP:*;1}
AuthenticationCredential     : 
CloudServicesMailEnabled     : False
Comment                      : 
ConnectedDomains             : {}
ConnectionInactivityTimeOut  : 00:10:00
DNSRoutingEnabled            : False
DomainSecureEnabled          : False
Enabled                      : True
ErrorPolicies                : Default
ForceHELO                    : False
Fqdn                         : 
FrontendProxyEnabled         : False
HomeMTA                      : Microsoft MTA
HomeMtaServerId              : PRODMBX14

Open in new window

We are migrating from on-premise exchange 2013 to office 365. Our facility occasionally experiences power outages as well ISP outages. we do have backups and fail-safes in place but sometimes they are not enough and our email system is offline. We are a service driven company with many remote employees that depend on email so having an email outage can be costly. That being said, we decided to go with office 365 so that when we do experience an outage our email will still be functioning. We are still planning out our migration and before we start, we need to decide if we will be using AD sync.  Currently we have a SSO environment because everything is on-premise. Users login to their desktops and access Outlook, CRM, and NAV without having to enter another password. My understanding is that AD sync needs to access  your on-premise AD or we can go the ADFS route which we have in place for our crm. ANd then there's the Cloud identity route. What would be our best option being that we experience these outages? Do we use Cloud identity, AD Sync or ADFS? Maybe I'm not fully understanding how the sync works but i feel that since we have these outages, that AD Sync and ADFS,  since they require access to our network would not work for us.
Office 365 Training for IT Pros
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

There is a program we install in a Terminal Services environment (Server 2012) and it has to be installed in a TS environment for this specific application, dont want to go into why, but its not optional. There has been an update for this software which we recently applied, but the developers for some reason have decided to move the registry settings for this program from Current User to Local Machine in this new version, now whenever someone applies a new setting on one session it applies to all the other sessions (such as default printer), this is very problematic for them and they are really struggling to use it.

We need a way to isolate each TS sessions registry settings from another. So that either each user has its own little virtual Local Machine registry, or copy the LM settings into Current User and somehow force the program to use Current User again instead of LM. Or open to any other ideas?

The only progress I have made is that if I use the security settings of the registry key to block a specific user from accessing it, it will revert to all default settings when they launch the application. This is not helpful though, as each user has a variety of different settings they need to apply to their own session.
I'll preface by saying, yes, I'm rolling out a new 2012 based Active Directory, but...

Our FSMO master died in a way that didn't want to be resurrected.

Originally I had, all Win 2003 SBS AD domain controllers, currently running win Windows 2000 native mode:

AD01 - Primary, FSMO master
AD02 - secondary DC
AD03 - Tertiary DC

AD01 died in a way where it was not salvageable.  

With AD02, I Seized the FSMO roles, and made it the new "master"

Now, replication between the two are broken. AD02 (new master) has the "DSA Now Writable" Dword (4) in it's registry.
AD03 was up a while when we were configing AD02, so the databases became out of sync.

Most all instructions I see say the only way to fix replication is to demote, remove from domain, rejoin, and promote the "bad" server, in this case, my Master (now AD02).

Currently, I made AD02 as the Master via seized roles from dead AD01.
AD03 is my only other DC, acting as secondary to now-master AD02.

Another method crossed my mind, and wanted to see if anyone has tried this...or, if anyone else has another way out, other than demoting my primary AD02.

What if I were to DCPROMO AD03 (a secondary DC which is not receiving replicated data), and remove it from the domain as as AD server, then re-join as a new secondary server?
Would this also clear the "DSA Not Writable" flag on AD02?
I do not care about the orphaned objects on AD03. If it would simply pick up exactly what my new master has, that would…
I have 4 domain controllers. 1 is a 2003 dc.  This server has the primary dns. I would like to move the primary dns to one of our 2008 servers.  Can you tell me how to do this?
Hi, currently we have 2 AD forests with 2 way trusts. I am trying to retrieve all the name servers of Forest B from a DC in Forest A. I try to do this by running following command from DC in Forest A - nslookup -type=NS

The command returns all 50 DNS servers in Forest A but only returns the IPs for half the servers. I expected the following results:      nameserver =      nameserver =      nameserver =      nameserver =      nameserver =      nameserver =           internet address = x.x.x.x           internet address = x.x.x.x           internet address = x.x.x.x           internet address = x.x.x.x           internet address = x.x.x.x           internet address = x.x.x.x

But instead the results are:      nameserver =      nameserver =      nameserver =      nameserver =      nameserver =      nameserver =           internet address = x.x.x.x           internet address = x.x.x.x
I lost a DC from a domain.  I only have one left.  I'm trying to raise the function of the domain so I can add a 2012 server. It is still looking for the schema master which was a 2003 server.  What can I do to make the current 2008 server the schema master? it's tell me the current server is off line so it will not change.
GPO Monitor
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed or changed with an option for email notifications.

Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software