We help IT Professionals succeed at work.

Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Powershell- Add AD Group to AD User by Distinguished Name

I have a list of 30+ AD Groups that i want add back to an AD User Object. Whats the best powershell script that will allow me to add these groups back to the user if i have a CSV file that has a list of all the AD Groups ind CN format with no header? I can add a header if need be.
What’s the best and secure way to setup a web server within a DMZ? A couple of simple external sites and sql server. Should I put a DC RODC inside DMZ or just open up ports to sync AD? or should I not have it connected to AD?
I ran this script. It contacts AD but does not respond with results. It just waits for another entry.

C:\Save> Get-ADUser -Filter {mail -like 'emailaddress'} -Properties * | fl workid
C:\Save> _

It looks like above
Dear all,

I wrote that code to get from a list a list of computer in a OU their vendor name, model name and serial value.

When running the code $vendor, $name and $$identifyingNumber values are null and I am getting this message "Get-WmiObject : The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)"

The computer is not offline
If I run tthe script like this $vendor = (Get-WMIObject  -ComputerName MAD001 Win32_ComputerSystemProduct).name  it works

Could you help?


$computers = Get-ADComputer -Filter * -SearchBase "OU=Madrid,OU=Spain,OU=Europe,OU=Root,DC=contoso,DC=com" -Properties * | Select-Object DNSHostName  
foreach ($computer in $computers) {
    $vendor = (Get-WMIObject Win32_ComputerSystemProduct -ComputerName $computer).Vendor
    $name = (Get-WMIObject Win32_ComputerSystemProduct -ComputerName $computer ).Name
    $identifyingNumber = (Get-WMIObject Win32_ComputerSystemProduct -ComputerName $computer ).IdentifyingNumber

Open in new window

Hi Experts,

I have to install some new DCs in to a network.
The old DCs should be deleted afterwards.

When I setup the new DCs, lets say the new PDC with all FSMO roles, how to setup the DNS servers ?

What is the best practice for the DNS servers ?
Lets say I have two new DCs in a cluster.
DC1 and DC2. What about the network settings for DNS ?

What I know the first DNS is always the other DC, in this case DC2.
On DC2 the first entry is always DC1.

Please let me know your Expertise please.
Hi All,

Recently I am facing issue with Group policy Replication and While am checking on SYSVOL folder on PDC its showing all the policies, But in ADC newly  created policies are missing and inaccessible showingwhile am trying to detect now on the group policy objects . and also i can't acces netlogon/sysvol its is showing acces denied (Prompting user name password)by IP, but can acces by FQDN
I chechecked syvol folder security its included authenticated user and Administrator and everyone.

The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.
 Replica set name is    : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
 Replica root path is   : "c:\windows\sysvol\domain"
 Replica root volume is : "\\.\C:"
 A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found.  This can occur because of one of the following reasons.
 [1] Volume "\\.\C:" has been formatted.
The File Replication Service is having trouble enabling replication from Server-DC01 to Server-DC02 for c:\windows\sysvol\domain using the DNS name server-dc01.demo.localL. FRS will keep retrying.
 Following are some …
Windows 2012 R2  domain controllers

I am trying to update the ADMX files on my Domain controller
I downloaded Administrative Templates (.admx) for Windows 10 November 2019 Update.

I ran the installer and it placed the ADMX and ADML file into my Temp folder

I then made a backup copy of my current C:\Windows\SYSVOL\sysvol\mydomain.com\Policies\PolicyDefinitions

Next I copied the new ADMX and ADML files

I did this on one DC

Today the files are gone.

So I tried to install on both DCs at the same time and that did not work either.

I thought it would replicate from one DC to another.

the central Store is replicated I know because my GPO's are fine on both DC's

I guess the question is how do I update the ADMX and ADML files on my DC ?

Thank you

Does anyone have any experience with pushing the server paths to the Cisco Anyconnect client? We are moving our gateways around and I cannot find anything online regarding Cisco admx files or the settings that I'm looking for.

Many thanks!
I have a network topology with 3 sites, each with a unique subnet and each with a Domain Controller in the same domain: DC1, DC2 and DC3
The sites are each interconnected with private links having speeds up to 50Mbps.  The interfaces

The NTDS Settings are all automatically generated and look like this:

DC1 > DC2 and DC3
DC2 > DC1
DC3 > DC1

I have the replication interval set at the minimum 15 minutes.
I'm seeing intermittent replication failures between DC1 and DC2.
Since the failures aren't 100%, I discount any normal configuration issues.
But, the failures are troubling and I'm trying to get rid of them or at least reduce their occurrence.

Since the configurations at DC2 and DC3 are virtually identical and the private link interface is the same for both at DC1, I might focus on hardware at the DC2 end of its link.
But I rather suspect something else.

If I run repadmin /replsummary, the results are:
Sometimes 0% fails.
Sometimes 100% fails where DC2 is involved.
Sometimes 0%>x%<100% where DC2 is involved.

Failures between DC1 and DC2 can be in either direction.
I see NO failures between DC1 and DC3 in either direction.  Never.

Failures are often the familiar 1722 which I believe tells us next to nothing.
Sometimes I've seen another but not so often.
There appear to be no system issues while this is going on. I suspect that replications happen successfully often enough for that.   But prudence suggests that it be fixed.  I'm …
Hi Experts,

Our two Windows 2016 Domain controllers are having same GUID.  We want to change the GUID of one DC. Is there any adverse impact on the network by changing GUID
Please clarify.

Thanks in advance.
Hi Teams,

I facing issue with group policy, it is not replicating to other server,

any one can suggest me how can i troubleshoot group policy issue
How do I prevent an particular domain admin user from signing in on the actual physical server ?
Hello Expert, I am having an Issue with a Windows 2012 (Vmware VM).

First I had this error, and I couldn't login with domain users or local users
 First Error
So I have rebooted the server into safe mode, I have unjoined it fron the domain and reboot the server again, and  I was then able to login with the local admin account.

But I had the error below and I fixed it by using the solution in this youtube video ( https://www.youtube.com/watch?v=2-8gOC4BgYw)
I have copied the folder from C:\Windows\Users\Default\Desktop and pasted it  in this location C:\Windows\System32\config\systemprofile\
Second Error
And now , I cannot rejoin the server to the domain
 Third Error
I have tried to fix this issue by removing the network card and adding a new one. I also did a flush dns, and I am also able to ping the domain controller,but still not able to join the server to the domain.

Please help me experts

I have started the process of migrating from Server 2012 to Server 2019. During the process I was warned that I couldn't proceed because of the following error: "Verification of replica failed. The specified domain is still using the File Replication Service (FRS) to replicate the SYSVOL share. FRS is deprecated."

I have read a lot of documents, have tried a lot of steps, and this is where I am at. Open to any and all suggestions. I have attached the exports of the diagnostic tools that I have run.
I have an external domain that is being advertised via our zone files. For the setup of AAD Connect the connector to synch our internal AD with the Azure cloud, it is asking us to create either TXT or MX records on our zone file for our local domain i.e. ABC.local domain which our users exist on.

Do we need to create this under my external DNS, ABC.com.fj domain or do I create a seperate domain with a seperate DNS record for my ABC.local domain?
We sync our on premise AD users to Azure/O365, and I am having problems updating the  UPN, proxyaddresses and msRTCSIP-PrimaryUserAddress of a user - userA

The sync conflict error states the value  already exists for another user's SipProxyAddress in Azure -userB. UserB is also on prem AD user, which doesn't have that value in on prem AD, but I am guessing this hasn't replicated to clear from Azure either.



UPN - userA@domain.com
Proxyaddresses: smtp:userA@domain.com, sip:userA@domain.com
msRTCSIP-PrimaryUserAddress: sip:userA@domain.com

UPN - userAAA@domain.com
Proxyaddresses: smtp:userAAA@domain.com,


UPN - userB@domain.com
Proxyaddresses: smtp:userB@domain.com,

UPN - userB@domain.com
Proxyaddresses: smtp:userB@domain.com,

Is there a way to selectively sync these users separately(or at least filter out conflicting attributes), so userB can sync first and hopefully clear its sipproxyaddress from Azure, and then sync userA in a separate sync cycle? Or is there another way to fix this?

Thank you!
How can I get a list of domain controllers in my environment?
Hi Experts,

I have some questions regarding DC upgrades.

The forrest and domain Level is 2008R2.

I have to install many WIN2019 DCs.

What is the minimum level I need ?
How to raise the level in steps ?
Which exchange version is supported ?
Is it possible to create a user password reset web page in AD in Server 2016? I could create one in Server 2008 but I'm not finding much on how it is down in Windows 2016.

Thank you
I have a weird issue with my AD. We have a mix of 2008R2 and 2016 AD servers. We have a global security group for VPN users. If you are not part of that group VPN access is denied. For some reason users get removed from that global security group. It is different users effected. I checked my default domain policy and there are no restricted access. What could cause this behavior?
Can we remove a non functional on prem Exchange, then add a new one in hybrid deployment ?  All mailboxes and public folders have been migrated on Exchange online (Office 365) months ago.  We've been keeping an Exchange on prem as recommended in hybrid with AD azure connect.

But someone has removed all older databases to keep only the default database without any mailbox  (except for arbitration...) to reduce the size of the VM also (compact) but for a reason or another some of those system mailboxes were not on the default database.  So now we no longer have access to ECP.  

We called the support for office 365.  They told us they think we can remove the on prem Exchange (ADSI edit) to build a new one and that should be fine.  But they also added that they were not specialized with On Prem.  

We have of course some connectors from on prem to o365 and o365 to on prem.  Do you think it could be riskee to remove the one prem?  As soon as it will be removed we will install the new on prem but I just want to make sure we can do it safely.  

Besides, our AD network is locally managed.  We have several DCs.  We follow the recommended Microsoft procedure to create new users: New users with O365 mailbox are created from from on prem ECP, then sync with AD azure connect.  

I have a GPO dedicated to mapping drives for my entire company on there desktop/laptop; however, I need to add a special mapped drive for when the log into our Citrix infrastructure.  I have created new GPO and in the User section added my Mapped Drive and set it to map to %userprofile% and set the drive letter.  I set that GPO to be applied to certain users when they log into Citrix, but it doesn't map the drive.  I have tried setting the Loopback on that policy to merge, but still not luck.  I've even tried to change the variable to c:\Users\%username%, but still no luck.  And I tried a batch file that works if you run it while logged in, but won't run from the Logon Script portion of the GPO.  I really want to do this with the Mapped Drives function of the GPO, but I'm at a lose.  Any thoughts would be greatly appreciated.
Is there a hierarchy of perhaps the top 5 most powerful default groups in Active Directory. I see domain admins mentioned quite a lot but I wondered if there were others to concern about as we need to review memberships for the high privilege groups across the domain.
I have a number of Domain Controllers running win 2008 R2 and win 2016. On my domain controllers FRS and DFS are both running. On the 2016 server I get the event ID 13577 in Applications and Service Logs that FRS is being deprecated. That I should use DFSRMIG. What is going on?
Can't delete mailbox exchange server 2016

Active Directory operation failed on MIT-DC02.mitcom.dk. This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-03152501, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.