We help IT Professionals succeed at work.

Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Windows 2012 R2  domain controllers

I am trying to update the ADMX files on my Domain controller
I downloaded Administrative Templates (.admx) for Windows 10 November 2019 Update.

I ran the installer and it placed the ADMX and ADML file into my Temp folder

I then made a backup copy of my current C:\Windows\SYSVOL\sysvol\mydomain.com\Policies\PolicyDefinitions

Next I copied the new ADMX and ADML files

I did this on one DC

Today the files are gone.

So I tried to install on both DCs at the same time and that did not work either.

I thought it would replicate from one DC to another.

the central Store is replicated I know because my GPO's are fine on both DC's

I guess the question is how do I update the ADMX and ADML files on my DC ?

Thank you

Does anyone have any experience with pushing the server paths to the Cisco Anyconnect client? We are moving our gateways around and I cannot find anything online regarding Cisco admx files or the settings that I'm looking for.

Many thanks!
I have a network topology with 3 sites, each with a unique subnet and each with a Domain Controller in the same domain: DC1, DC2 and DC3
The sites are each interconnected with private links having speeds up to 50Mbps.  The interfaces

The NTDS Settings are all automatically generated and look like this:

DC1 > DC2 and DC3
DC2 > DC1
DC3 > DC1

I have the replication interval set at the minimum 15 minutes.
I'm seeing intermittent replication failures between DC1 and DC2.
Since the failures aren't 100%, I discount any normal configuration issues.
But, the failures are troubling and I'm trying to get rid of them or at least reduce their occurrence.

Since the configurations at DC2 and DC3 are virtually identical and the private link interface is the same for both at DC1, I might focus on hardware at the DC2 end of its link.
But I rather suspect something else.

If I run repadmin /replsummary, the results are:
Sometimes 0% fails.
Sometimes 100% fails where DC2 is involved.
Sometimes 0%>x%<100% where DC2 is involved.

Failures between DC1 and DC2 can be in either direction.
I see NO failures between DC1 and DC3 in either direction.  Never.

Failures are often the familiar 1722 which I believe tells us next to nothing.
Sometimes I've seen another but not so often.
There appear to be no system issues while this is going on. I suspect that replications happen successfully often enough for that.   But prudence suggests that it be fixed.  I'm …
How do I prevent an particular domain admin user from signing in on the actual physical server ?

I have started the process of migrating from Server 2012 to Server 2019. During the process I was warned that I couldn't proceed because of the following error: "Verification of replica failed. The specified domain is still using the File Replication Service (FRS) to replicate the SYSVOL share. FRS is deprecated."

I have read a lot of documents, have tried a lot of steps, and this is where I am at. Open to any and all suggestions. I have attached the exports of the diagnostic tools that I have run.
I have an external domain that is being advertised via our zone files. For the setup of AAD Connect the connector to synch our internal AD with the Azure cloud, it is asking us to create either TXT or MX records on our zone file for our local domain i.e. ABC.local domain which our users exist on.

Do we need to create this under my external DNS, ABC.com.fj domain or do I create a seperate domain with a seperate DNS record for my ABC.local domain?
We sync our on premise AD users to Azure/O365, and I am having problems updating the  UPN, proxyaddresses and msRTCSIP-PrimaryUserAddress of a user - userA

The sync conflict error states the value  already exists for another user's SipProxyAddress in Azure -userB. UserB is also on prem AD user, which doesn't have that value in on prem AD, but I am guessing this hasn't replicated to clear from Azure either.



UPN - userA@domain.com
Proxyaddresses: smtp:userA@domain.com, sip:userA@domain.com
msRTCSIP-PrimaryUserAddress: sip:userA@domain.com

UPN - userAAA@domain.com
Proxyaddresses: smtp:userAAA@domain.com,


UPN - userB@domain.com
Proxyaddresses: smtp:userB@domain.com,

UPN - userB@domain.com
Proxyaddresses: smtp:userB@domain.com,

Is there a way to selectively sync these users separately(or at least filter out conflicting attributes), so userB can sync first and hopefully clear its sipproxyaddress from Azure, and then sync userA in a separate sync cycle? Or is there another way to fix this?

Thank you!
Hi Experts,

I have some questions regarding DC upgrades.

The forrest and domain Level is 2008R2.

I have to install many WIN2019 DCs.

What is the minimum level I need ?
How to raise the level in steps ?
Which exchange version is supported ?
I have a weird issue with my AD. We have a mix of 2008R2 and 2016 AD servers. We have a global security group for VPN users. If you are not part of that group VPN access is denied. For some reason users get removed from that global security group. It is different users effected. I checked my default domain policy and there are no restricted access. What could cause this behavior?
Can we remove a non functional on prem Exchange, then add a new one in hybrid deployment ?  All mailboxes and public folders have been migrated on Exchange online (Office 365) months ago.  We've been keeping an Exchange on prem as recommended in hybrid with AD azure connect.

But someone has removed all older databases to keep only the default database without any mailbox  (except for arbitration...) to reduce the size of the VM also (compact) but for a reason or another some of those system mailboxes were not on the default database.  So now we no longer have access to ECP.  

We called the support for office 365.  They told us they think we can remove the on prem Exchange (ADSI edit) to build a new one and that should be fine.  But they also added that they were not specialized with On Prem.  

We have of course some connectors from on prem to o365 and o365 to on prem.  Do you think it could be riskee to remove the one prem?  As soon as it will be removed we will install the new on prem but I just want to make sure we can do it safely.  

Besides, our AD network is locally managed.  We have several DCs.  We follow the recommended Microsoft procedure to create new users: New users with O365 mailbox are created from from on prem ECP, then sync with AD azure connect.  

I have a GPO dedicated to mapping drives for my entire company on there desktop/laptop; however, I need to add a special mapped drive for when the log into our Citrix infrastructure.  I have created new GPO and in the User section added my Mapped Drive and set it to map to %userprofile% and set the drive letter.  I set that GPO to be applied to certain users when they log into Citrix, but it doesn't map the drive.  I have tried setting the Loopback on that policy to merge, but still not luck.  I've even tried to change the variable to c:\Users\%username%, but still no luck.  And I tried a batch file that works if you run it while logged in, but won't run from the Logon Script portion of the GPO.  I really want to do this with the Mapped Drives function of the GPO, but I'm at a lose.  Any thoughts would be greatly appreciated.
Is there a hierarchy of perhaps the top 5 most powerful default groups in Active Directory. I see domain admins mentioned quite a lot but I wondered if there were others to concern about as we need to review memberships for the high privilege groups across the domain.
I have a number of Domain Controllers running win 2008 R2 and win 2016. On my domain controllers FRS and DFS are both running. On the 2016 server I get the event ID 13577 in Applications and Service Logs that FRS is being deprecated. That I should use DFSRMIG. What is going on?
Can't delete mailbox exchange server 2016

Active Directory operation failed on MIT-DC02.mitcom.dk. This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-03152501, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

I have 365 services like, E1, E3, Power BI pro, Team, etc.

I can assign services to users or groups from Admin Portal but how can give access to users through on premise AD groups?

I know on premise AD groups need to be synced with AD connect to O365 but what the steps to achieve that?
the permissions for this gpo in the sysvol folder are inconsistent with those in active Directory. It is recommended that these permissions be consistent. To Change the Sysvol permission to hose in active Directory, click ok""
I get this error when opening a Gropu Policy Object
I recently migrated the DC from Server 2008R2 to Server2019, I've seen no issues for the past while other than this.
Is there a gotcha for just hitting the recommended "OK"?
Good evening experts,
I have a test environment for a small Doctors site. I am only dealing with one Domain Controller and 10 Windows 7 workstations. I would like to share with you the steps that I have already taken to enable my workstations to join the domain. I am just having no luck , and I am probably doing something wrong that a rookie would do. Here are my steps:

1. I added the active directory feature
2. I added the dns feature.

Below you will see an Active Directory domain with an associated DNS.
The next screen shot is me trying to join the domain from one of the office pc's
The next screen shot is the servers IP configuration for the ip, subnet mask, default gateway and DNS.


I hope I haven't missed anything. I would appreciate some feedback as soon as possible and I thank you for your anticipated responses.
I've been preparing GPOs successfully enough.  Suddenly the right click menu on OU's is missing "Link an existing GPO" in ADUC on the DC.
The User is a Domain Admin.
I've rebooted the DC.
Still stuck.

An update:
I created the link using PowerShell.  At least PowerShell didn't complain when it finally got it right!
But the link didn't show up under the target OU.
BUT the missing menu items showed up.
So, I used the familiar "Link an existing GPO" and added the GPO.
Now everything looks right and the menu item is back along with "Create a GPO in this domain and Link it here"

Any ideas about the menu?  I'd like to be able to fix it in a more straightforward way!!
I currently have a Citrix NetScaler VPX 200 and I would like to enable 2 factor authentication. I'm new to setting up 2FA and any advice would greatly be appreciated.

The goal is to have the user sign into the Netscaler web portal and authenticate with their domain (LDAP) credentials. Upon successful login, the user is required to enter a passcode/one time password that they would receive from an SMS message or ideally a code using an authenticator app (Microsoft or Google authentication app for example.) Once the user enters the one time password, the user can access the VPN or ICA portal.

When researching what is evolved to enable this, it looks like a RADIUS server is required. I do have a Windows Server 2016 RADIUS server, but it doesn't seem to support what I'm looking for, unless Microsoft's terminology is different. I've opened a case with Citrix, but the only thing provide is links to setup RADIUS on the gateway, which I already found before opening the case.

Has anyone been able to accomplish this? Thank you for your time.

Is it possible to mount a SMB file share using NFS right on a machine that is not domain joined ?

Hello experts,

I have computers in our active directory that do not follow any type of standard naming convention. I am of course looking to change that and standardize on a naming convention. My question is what are the best practices or steps to accomplish this? Once I change the name of the computer do I need to manually delete the old one out of ad? Here is my approach. Please tell me if I am wrong or should do something different,

1. Unjoin current pc (old name) from domain,
2. Rename PC and rejoin domain.
3. Verify new PC name in AD and move to appropriate OU.
4. Remove old pc name (if exists) from AD

Encouter the following error when demoting a Window 2012 DC server. This server is not the last DC in my network and the server doesn't hold fsmo role. However, it is a last DC in other site under the same domain. Run repadmin/replsummary can show the other 2 DCs in other site. Any idea ?

Uninstall-ADDSDomainController : The operation failed because:
Active Directory Domain Services could not find another Active Directory Domain Controller to transfer the remaining
data in directory partition DC=DomainDnsZones,DC=xxxxy,DC=com.
"The specified domain either does not exist or could not be contacted."
At line:1 char:1
+ Uninstall-ADDSDomainController
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Uninstall-ADDSDomainController], DCPromoExecutionException
    + FullyQualifiedErrorId : DCPromo.General.54,Microsoft.DirectoryServices.Deployment.PowerShell.Commands.UninstallA
I just read https://activedirectorypro.com/group-policy-best-practices/ and thought it contained a pretty good idea.
Rather than using Deny, it encourages that "GPO1" be applied at the OU root level and then creates a sub-OU for which a contradicting "GPO2" is applied (directly).

But, after thinking about it, one realizes that things can only be a set of unique objects in each OU.
So then, what if one has another treatment to apply via "GPO3" to a set of objects that overlaps the membership of "GPO2" above?
Then the method falls apart.

I've often wondered about this and am looking for some logical structure that would allow:
GPO1 applied to a,b,c,d,e,f,g
GPO2 applied to f,g
GPO3 applies to e,f,g,h
There is an intersection between all 3 GPOs: f,g
There is an intersection between GPO1 and GPO3: e,f,g
GPO3 has a member (h) that is not in the other two GPOs.

In my cases, so far, I find that there would be a GPO to apply to all Users or all Computers with some exceptions in each case.
So, creating OUs for the exceptions as suggested, may likely not work.
There only needs to be yet one more GPO with a different set of excepted objects and with overlap, but not 100%  overlap, of those objects.

The referenced note above suggests one way when one OU is part of a root (or higher level) OU.  But that seems to barely scratch the surface.
What is the best way to tackle this rather obvious situation/objective in designing GPOs, OUs, etc?
Default Administrator account in Domain Controllers.

When you install a Domain Controller , the Administrator Account becomes by default member of Enterprise/Domain/Schema admins .....
the Administrator account is also member of local Administrators Group on the server(domain controller).

Can that account be renamed or deleted ? what is the best practice?

Thank you

I need to uninstall the trendmicro agent on a group of computers.  When I use add/remove program to install, it is prompting me for a password and the install process fails.  I think something is corrupted.  I then use the Microsoft tool in this link and it works like a charm.

Does anyone know a command line tool that does a similar uninstall?  I need to perform this action on a lot of computers I need to call something from my script.  


Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.