Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

My AD Domain's functional level is Windows Server 2012.

I currently have two DC's that are both Windows Server 2012 servers. The primary DC: Prometheus holds all the FSMO roles,
and the other DC is simply a replicating DC. Both of these DC's reside on server hardware that is now 6+ years old.

I just installed a Windows Server 2019 server (Host Name: DC) to the network, and promoted it as a DC.

My goal is to install another Windows Server 2016 to the network, and promote it as a DC (Hostname:  DC2).

I then want to move all the FSMO roles from the DC: Prometheus to the new Windows Server 2019 Server: DC.

Then I want to demote and remove both Windows Server 2012 servers (Prometheus and Chronos),
and simply remove them entirely from the network since they have a high probability of incurring hardware related failures.

I am thinking once I have both new DCs operational I can raise the functional level of the domain to Windows Server 2016.  Not a big deal, but if an option I may do so.

Do you foresee any issues moving forward?
Windows 2012 R2 was installed with all FSMO role & windows essential service. (DC1)
I was having another DC with windows 2016 installed (ADC2)

Windows 2012 R2 was having some issue, so I decided to transfer FSMO roles to ADC2
So I successfully transferred all FSMO role to ADC2

Then I removed Windows essential service (as I was not using it) from DC1.

I forced demoted the DC1 ignoring warning that Certificate service is installed on DC.

I missed backing up CA  as given on :

I never added any certificate on CA. In the network, MS exchange 2013 server is also running that is using public SSL certificate.

Do I need this active directory CA role or service for smooth working of network?

Or I should ignore this & proceed to shutdown DC1.
Hi we're looking for a tool that will help us "crawl" through our file share server to identify some groups and what permissions they have, either directly or inherited. I know some tools that will allow AD account A has file permission to file share B, but we looking for something that will allow us to simply put in AD account A and have it search all the file folders in our file share server for both share permissions and NTFS permissions. Even if it's a PS script, or some 3rd part tool, we don't mind either.
I would like to run a powershell script that has the Active Directory module cmdlt.  But I will like to do it from a workstation that only have the powershell and not aduc install.  
Is there a way to connect to a server that's have the PS Active Directory Module cmdlets so I can run this script?

Can you provide me the correct syntax
Hi Experts,

I have to migrate migrate several mailboxes from DOMAIN A to DOMAIN B. Cross-Forest.
The user will stay in DOMAIN A but the mailbox is migrated to DOMAIN B.

We have nearly 200 mailboxes to do.
But in the meantime I have to test this.

How can I test the mail flow ? The MX Record is still showing to DOMAIN A.

Do you have any ideas ?
I need to create a script that does multiple actions pulling input from a CSV file that contains the Active Directory Account

Here are the things needed to accomplish:

Disable Account - User

Change PWD

End Date User Account

Append Description in AD User account

Move to OU

Remove From Groups

Remove any Meetings that user is Organizer

Removing 0365 licenses from user account

I have bits and pieces of some of the items that need to be done - I just don't know how to tie them all together

Location of csv
C:\scripts\ xxxx.csv

End Date:
#set account expiration date
Import-Csv "c:\scripts\contractors.csv" | foreach {set-adaccountexpiration -identity $_.UserID -datetime $_.EndDate}

Append Description in AD User account
get-aduser XXXXAD -Properties Description | ForEach-Object { Set-ADUser $_ -Description "$($_.Description) Some more stuff" }

Remove From Groups:

#removes from all distribution groups $dlists =(Get-ADUser $termuser -Properties memberof | select -expand memberof) foreach($dlist in $dlists){Remove-ADGroupMember $termuser -Identity $dlist -Confirm:$False} write-host "* Removed from all distribution and security groups"

Disable Account:
#disable user Disable-ADAccount -Identity $termuser

Change Password:
Set-ADAccountPassword $userinput –NewPassword $newpwd -Reset

Move to OU:
Get-ADUser -Filter { samAccountName -like $userinput } | Move-ADObject –TargetPath "OU=Disabled Users,OU=User …
FRS to DFRS Migration Stuck on start on 1 DC  from 3 DC
SYSVOL folder created successfully  
all the 3 DC servers are servers 2012 R2 , the DC the we have problem with him located on different network segment  and all FW rules are open between the DC servers
I'm creating two Hyper-V  VM's.  One for AD and one for Exchange.
The underlying OS is Server 2016 Standard.

I've installed the first VM with Server 2016 in prep for AD first before Exchange.

I have one built in Gigabit Ethernet port and I have installed a Ethernet card that has two ethernet ports.

What I don't know is how to use that 2 port Ethernet card with each having a static ip for the two VM's and how that all plays into the Virtual Switch (if it does?)
I'm seeking step-by-step advice on migrating an on-prem Windows Server 2008 R2 server to a new on-prem server running Windows Server 2019 Essentials.  The client has fewer than ten users, so Essentials seems the appropriate version for them.  Their 2008 server is a Domain Controller.  It's their only server.

I'm asking for the list of steps that move the old server files and configuration, including the Active Directory configuration, to the new serve.  Thanks, Experts!
I just began to test users connecting via Remote Desktop.  

When I log in as a user they can see all the folders, but cannot access the ones they do not have permission to.

In Active Directory they cannot see the folders they do not have access to.

I have ABE set correctly but users can still see the files

Access Based Enumeration
During DC Promo a replication partner was defined, however, it was the wrong replication partner and replication is taking a very long time.

Is there a way to stop the replication and force it to replicate from another partner?  SYSVol is not online yet and that is what seems to be taking the time in replication.

2012 r2

We have three domain controllers installed in Windows Server 2016 (virtual machines in VMware vCenter 6.7). And we need to create a similar test environment.
For that i restored a backup of one domain controller, and tried Seizing FSMO roles (i used these steps lots of times in different version of Windows Server 2003, 2008 r2, and it worked perfectly).
But now, after seizing all FSMO roles, and restarting the test domain controller, AD fails to work correctly.
When i run the command NETDOM QUERY FSMO to check to roles holder, i get error saying:
The specified domain either does not exist or could not be contacted.
I precize that, DNS resolution is working and FSMO roles are seized using NTDSUTIL commands.
I wonder how can i make it work correctly?
Thank you in advance,
I have two scheduled tasks set to trigger on security event IDs, 4767 and 4740 that fire on two of my domain controllers.  They run a short powershell script like this:

$eventcontent = wevtutil qe security "/q:*[System [(EventID=4767)]]" /f:text /rd:true /c:1
$SmtpClient = new-object
$MailMessage = New-Object
$SmtpClient.Host = "[smtp server]"
$mailmessage.from = ("[DC1@domainname]")
$mailmessage.Subject = $eventcontent
$mailmessage.Body = $eventcontent

Open in new window

The script works, as every time we have a lock or unlock we receive the email.  The problem is that every morning between 2 and 6AM we get a set of three email, one of which is blank, the other two continuously reference the same old pair of logs.

Interesting details:
It was the case that all three of them were blank emails for a while, until I expanded the size of the security event log.  At that time two of them started to contain event information.  The event information they contain are one user account lock and the corresponding unlock for that user account (4767 and 4740).  These two emails come from two different domain controllers, the lock event coming from the PDC.  The third (which is blank) comes also comes from the PDC.

I don't have any idea how to approach this, there is nothing special about the logs that are getting resent every day, so if anyone has any ideas I'm all ears.  Thanks!
I have a simple network, all flat, using default vlan 1 on my LAN.  I do have 2 switches that have a different vlan to separate my camera traffic.

I am implementing 2 more switches, stacked, (vlan 90) that I need them to be able to access the rest of my current network, vlan 1.
I'm going to create the new vlan on the core switch and add an IP address to it.  I know that all my uplink ports need to also be trunk ports,
so it can pass all the vlans,  I'm guessing, all I need to do is add the new vlan on every current switch in my network and that's all I have to do from a
networking standpoint.  I also need to add the IP helper command on my core switch, so I can pass the DHCP info to my DCs.  Am I missing anything else
I need to do?

In regards to my AD, I'm running windows server 2012R2 for all 3 of my domains.  I'm running DHCP and DNS.
So I'm assuming I need to create a new lookup zone for this new vlan and IP range.
Besides that, am I missing anything?  What else would I need to do?

Is there anything else I need to do to make this happen?

Does anyone have any first hand experience with putting Active Directory in the Cloud?  I woudl assume Azure is the GoTo since botht hings are Microsoft products?  I manage a small school's IT and they have 2 on-prem servers that are getting old.  Basically they use them for AD, File Services, and Print Server.  I'd like to know if it's good to put those things in the cloud, and waht are the do's, dont's and gotcha's with that type of plan.  Thanks!
I have a group policy question on a Windows 2008r2 server.     I lost my Network Admin who use to take care of this type of issue.    I am trying to change the source path of where a installation msi program is running from.  The old server died and I need the installations to point to the new server.  Do I have to just start from scratch on the policy or can I update/correct the path?   The computer are all on one domain.

I am trying to find best practice for deploying applications via GPO. If there is an update out, do we:

1. Replace the original .msi with the new version?
2. Create a new package and point to the old version to upgrade?
Hello we have a domain with Server 2016 with ton of policies and we have enable the following GPO, done gpupdate /force and still not showing Event Id 4732 on the Event Viewer Security Log. Thoughts ?

Thanks for your help,

I have a notepad called "AllUser" containing 1000 users. I have created a Universal security group in the active directory called "AllMkt" and would like to import all the 1000 users into this universal security group.

Is there any Powershell command  and let me know the best way of doing this.

If it is Powershell please post me the exact syntax that i need to run.

Any tutorials and help much appreciated.
If our current Active Directory Certificate Services PKI infrastructure is based on Windows 2008 R2 and is in our old domain, what is the best way to upgrade the OS and move ADCS (including existing templates) to our newly built 2016 domain functional level AD domain, which is an Azure hybrid. (for O365 only however)   Any tutorials or gotchas to share?


We had a server crash. was able to fix the boot restart loop, but at very end of booting we got the following error

stop  c00002e2 Directory services could not start because of the following device attached to the system is not functioning

error status 0xc0000001

please shutdown this system and reboot into directory services restore mode

check the event log for more detailed information

ok i have never had to do this routine so any guidance on this would be greatly appreciated.

where do i even begin

Thanks for being patient with me
I have single forest multiple child domains environment.

Site-1:, 4 Mailbox Servers Exchange 2013.
    Admin ID: without mailbox, Org Admin and Domain Admin @

Site-2:, 3 Mailbox Servers Exchange 2016 (recently migrated exchange 2010 2 Mailbox 4 HUB/CAS to 3 Mailbox 2016).
    Admin ID: without Mailbox, Org Admin and Domain Admin @ child1

Site-3:, 2 Mailbox 2 HUBCAS Exchange 2010
    Admin ID: without Mailbox, Org Admin and Domain @ Child2

Site-4:, 1 MailboxHubCas Exchange 2010
    Admin ID: without Mailbox, Org Admin and Domain @ Child3

i Can Access ECP On Site-1 using using

i Can't Access ECP On Site-2 using using

i Can Access EMC On Site-3 using

i Can Access EMC On Site-4 using

Error at Site-2 ECP:

At First when i access ECP on Server at Site2 it gives me the ecp page but when i enter my credentials for the account in AD at same site CHILD1\C1Admin is shows error
Sorry! Access denied :(
You don't have permission to open this page. If you're a new user or were …
We have received the following email from Microsoft in regards to our Tenant. I'm confused and unable to find anything concrete as to what to expect. We have 4 locations throughout the US and have 5 different domains in our tenant. With the change coming on 2-29-2020, am I understanding that Microsoft will enable MFA for all users in our tenant? If this is true, can we setup conditional access rules that would disable MFA at least temporarily? We have roughly 1250+ users and would prefer to roll this out at each location one at a time by department instead of flipping a switch for the entire organization. Any help would be appreciated.

Security Defaults is the generally available version of Azure Active Directory Baseline Protection policies and is available today to all tenants. We'll be gradually replacing Baseline Protection policies with Security Defaults starting February 29th, 2020.
This message is associated with Microsoft 365 Roadmap ID 55688.
[How does this affect me?]
You are receiving this message because our reporting indicates you are using Azure Active Directory Baseline Protection policies. Baseline protection policies will stop being enforced starting February 29th, 2020. You will need to either move to Security Defaults or configure equivalent Conditional Access policies.
If you are interested in protecting your organization from identity related attacks, tenant admins will be able to enable the basic level of identity security in their tenant …
We have windows 2012 DC and windows 10 workstation.

On the APPSvr-1 we have a share called Applications and this drive gets mapped as “S ”drive  when any user log into the workstations.

On this share I have created a folder \\ APPSvr-1\Applications\ Fin\Fin Revision

Within the Fin Revision folder, there are many MP3files saved on this folder.

For every users, I would like to create a shortcut pointing to Fin Revision folder where and the MP3 files.

On all the windows workstation I can see the folder “Fin Revision” under
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Fin\Fin Revision

But there are no MP3 files within the Fin Revision folder.

Please see the snapshot of the GPO that has be set up and let me know if I am missing any settings.
I have an issue with some servers authenticating to servers on the other side of the world from them.

The member server is set to have SERVER A as its DNS server.
SERVER A is also a DC and sits very close to the member server.

Sites and Services is configured with the correct Subnet associated with the correct site.
SERVER A is a DC in that Site.

SRV records are configured for SERVER A. (GC, Keberos, LDAP)

Also, when running nltest /dsgetdc:domain.local  I see the Server in the Correct "Our Site"  however, the authenticating server is in a site on the other side of the world.  

I then run a nltest /dsgetdc:domain.local /force.  It then goes to the DC that is closest to it, one I would expect.   I logoff, then back on, we are going around the world again.

I don't understand why it would try to go around the world, which is taking a while for auth to occur. I am missing something.

Server 2012 R2

Any ideas?

Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.