Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

DFSR replication seems to be failing on my Domain Controller that holds all the domain roles.

Every 5 minutes i get errors 2104 / 2212 and 2106 on the domain controller.

The other domain controllers report

The DFS Replication service is stopping communication with partner domaincontrller for replication group Domain System Volume due to an error. The service will retry the connection periodically.
Additional Information:
Error: 9033 (The request was cancelled by a shutdown)
Connection ID: 8DAD90BA-150D-4DA4-9F30-5EED852B6CA4
Replication Group ID: 1996DD82-0403-4C8D-967F-99591BE03D71


The DFS Replication service encountered an error communicating with partner DomainController for replication group Domain System Volume.
Partner DNS address: DomainController.domain
Optional data if available:
Partner WINS Address: Domaincontroller
Partner IP Address: IP
The service will retry the connection periodically.
Additional Information:
Error: 1753 (There are no more endpoints available from the endpoint mapper.)
Connection ID: 8DAD90BA-150D-4DA4-9F30-5EED852B6CA4
Replication Group ID: 1996DD82-0403-4C8D-967F-99591BE03D71

I have checked the permissions for the System information folder and it all looks ok on the failing DC, i have also tried stopping the service, moving the DFSR folder and letting it rebuild it but still get the same error messages.

What can i do to fix this issue? I am worried that it will cause sync …
Easily manage email signatures in Office 365
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

is there a way via powershell cmdlets to extract users/computers within a container (including any subcontainers within the parent - if you can have such a thing in AD!). I am guessing CN represents container in the output of the 'applies to' attribute column in get-adfinegrainedpasswordpolicy
Dear Team, we already had 1 DC Win2012R2+ 1 Exchange Mail server 2016 and they are working fine.

We installed the Additional DC for load balancing and backup. However when we tested the failover process by shutting down the primary DC, we could NOT send/receive emails anymore.

Could you please help and suggest?
I've ran ad powershell cmds to get a the defaultpasswordpolicy and finegrainedpasswordpolicy settings. I noticed 3 fine grained password policy settings had been set which are more secure than the defaultpasswordpolicy.  I know you can return what groups and AD is member of by powershell, but wasnt sure if you can also return a report of which domain policies they are subject to also, which may help for this task.

What I need is a command or way to reports which AD accounts are subject to which password policy, e.g. default domain password policy, or any of the fine grained password policies. The powershell cmd used to get all policy settings, does contain and "applies to" column. Does that mean default domain password policy would apply to every AD user outside of those specifically listed in the applies to column of finegranedpasswordpolicy settings, who would then be subject to the finegrainedpasswordpolicies?

for info - these were the commands used

Get-ADFineGrainedPasswordPolicy -Filter *
Create user/serviceaccount

Only allow (the account) to read users from a specific security group in domain

The user must not be allow to read all other users.


Error in DCDIAG (Event ID 0x80000857 / 0x0000043D)
Internal event: An attempt to add the following value to the following attribute was detected.  This value already exists on some object in the local Active Directory Domain Services database.  Active Directory Domain Services does not prevent such duplicate values.  Duplicate values of this attribute in the Active Directory Domain Services database may lead to error conditions in applications that rely on this attribute.  The attempt to add the duplicate value may have succeeded.

I have a CSV file that contains list of inactive computers in AD.  The first line of the column that contains the computer names has "NAME" in the field.   Other columns contains AD properties of the computers.

May someone assist a script to read this csv file and remove these inactive computers in AD?


I recently setup my a Root CA and Sub CA,
The root CA is not domain joined and offline, called CompanyRootCA
Sub CA is domain joined Server 2016, called CompanyIssuingCA

Every 7 days the CompanyIssuingCA displays an error and will not restart until I copy a new .crl from the CompanyRootCA to inetpub/wwwroot/pki

Should I need to publish a new crl every 7 days and manually copy it to the SubCA ?
Hi all,
I'm migrating users from AD using ADMT, when the user is migrated to another AD, the flag "user must change the password at next logon" is set.
Anybody knows how to remove this flag in the process of migration? I do not want to do it manually.

We have a hybrid exchange 2010 in place using ADconnect for password sync.  We are now looking at migrating our on premise 2010 share point to online but its asking for login every time.  
So would the AD connect pass through work here eliminating this logon problem?  Are there any caveats to not before running the wizard?  I see we have to add two urls to GPO for intranet sites..

Making Bulk Changes to Active Directory
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.


We have Windows 2012 DC  and windows 7 workstation. When the users log in for the first time I would like them to have the default  Windows 7 back ground on their desktop as the snapshot file attached.
If they don't like the default Windows 7 back ground , I would like them to set their own desktop wall paper and this wall paper must remain same even if they log off and log into the same PC again.
Is this possible to achieve, if so please post me step by step tutorials to set up.

Thanks  in advance and any help will be great.
"There are currently no logon servers available to service the logon request" when trying to log on to domain from member server via a RODC in perimeter/dmz network.

I can see SRV records in DNS for the RODC (in _msdcs and primary zone).
The member server is a member of "Allowed RODC Password Replication Group".
I added firewall rules on the RODC for the dynamic port range (49152-65535), TCP and UDP. But it didn't make a difference.
TCP/IPv4 dns settings for member server point to RODC as primary dns server. Assigned IP address is static. There's no dhcp in this dmz network.

nslookup's from member server list the RWDC's when looking for SRV or NS records. It's returning the closest RWDC for the "primary name server" when you look for SRV records.

I tried changing the RegisterSiteSpecificDnsRecordsOnly registry key on the RODC from 1 to 0, and granted write permissions to the RODC for the _msdcs and primary dns zones. I didn't wait long for replication of this change. It didn't work. Should I have waited longer?
Reference :

I tried each of these changes one at a time. Is it possible a combination of the changes is required?

I have a client with SBS2011 - I have migrated them to Office 365 email.
The SBS2011 box is in decent shape and provides the basic File Share / security services that they need.

I would like to remove Exchange 2010 from the SBS2011 so that there is more resources available to the server.

Eventually client would like to bring in new server with new OS, to Active Directory and eventually remove the old SBS2011.
So it would be nice to have AD without the Exchange traces in it.
We have 3 domains (not child) and I have been trying to remove one of them (not root) to get us down to the 2 we use. This domain I am trying to remove used to hold many child domains under it, and they were all removed properly....except for one it seems. When I try to demote the server, it starts all checks, passes, and then reaches this point (according to the logs)

02/12/2018 10:41:36 [INFO] Uninstalling the Directory Service
02/12/2018 10:41:36 [INFO] Invoking NtdsDemote
02/12/2018 10:41:36 [INFO] Preparing the security account manager (SAM) and Active Directory Domain Services for demotion...
02/12/2018 10:41:36 [INFO] Validating the removal of this Active Directory Domain Controller...
02/12/2018 10:41:36 [INFO] Error - Active Directory Domain Services could not be removed on this Active Directory Domain Controller because this is the last AD DC in the domain, and the domain has a child directory partition DC=OldChildDomain,DC=ThisDomain,DC=Com. (8398)
02/12/2018 10:41:36 [INFO] NtdsDemote returned 8398
02/12/2018 10:41:36 [INFO] DsRolepDemoteDs returned 8398
02/12/2018 10:41:36 Failed to demote the directory service (8398)

I cant find this child domain anywhere....not in ntdsutil, not in ADSI edit...the onl;y reference I ever found to this old domain was in the attributes of the domain itself (right click domain name and go to properties --> attributes tab) and it was under the "subrefs" attribute.
Some profiles are not loading roaming profile.  Issue is on the Virtual Machines that has XP loaded.

Windows did not load your roaming profile and is attempting to log you on with your local
profile. Changes to the profile will not be copied to the server when you logoff.
Windows did not load your profile because a server copy of the profile folder already
exists that does not have the correct security. Either the current user or the
Administrator's group must be the owner of the folder. Contact your network administrator.


Host Machine:
- Win 7

Virtual Machine:
- XP

- Microsoft Server 2012 R2
- Microsoft Exchange 2013

We have Windows 7 and the staff had asked me to put a informative wall paper on all the desktops for a week.
I went to to the GPO that is applied for this user OU
User configuration-policies-Administrative templates-Desktop-Desktop
and set the policy to
Prohibit changes- Enabled

Desktop Wallpaper-Enabled
Gave the URL path, where the wall paper is located.
Wall paper style- Fill
Prohibit adding items-Enabled.

Now they asked me to remove the wall paper  and I went to the same GPO and set to the following:

Prohibit changes- Not Configured

Desktop Wallpaper-Not Configured
Prohibit adding items-Not Configured.

Now when users log in, the wall paper is a black screen  and i would like to put the Windows 7 default screen.

Even if put the windows 7 default screen manually and log off and log in it reverts back to Black background.
Please post me tutorials so that the desktop stays in Windows 7 default screen, when users log in.

What is the recommended steps to remove AD accounts?
We see a lot of permissions on objects that have unknown accounts showing as "S-23234235-12564124..."

Are these because an account was deleted and permissions not removed? If so, what is the proper procedure so this mess doesn't occur, or is this normal to happen?
I am trying to view attributes of an AD User Object. I have enabled advanced view and I can see additional tabs compared to when advanced view is not enabled but the Attribute tab does not show. What is causing this? is there some kind of security feature enabled?
[Webinar] Improve your customer journey
LVL 12
[Webinar] Improve your customer journey

A positive customer journey is important in attracting and retaining business. To improve this experience, you can use Google Maps APIs to increase checkout conversions, boost user engagement, and optimize order fulfillment. Learn how in this webinar presented by Dito.

We have two Offices one in US and other in India, both sites have Domain controllers (Win 2012) and have one Public DNS server (BlueCat) sits in US. We are planning to migrate to Office 365 and migrated few pilot users. Currently users in India connects to the US regional data center servers using outlook, because then they resolve the it resolves the US IP's as our public server sits in US.

Currently I have added the HOST file entries in user desktop/laptop to connect to Indian Regional data center, Question is what are my other option to redirect the traffic to local region data centers with out using the HOST file.

PS :  Implementing a public DNS server in India office is a bit expensive solution so we have kept it as a last resort.
I've ran get-aduser to get all attributes but bizarrely for users it doesn't include the lastlogontimestamp. The same command from get-adcomputer does run and return that field, but get-aduser does not. any theory why that may be. lastlogondate is populated but my understanding was its not particularly accurate and lastlogontimestamp is reflective of any DC last logged into. I am unsure it this is to do with their AD setup or any other theories?
I require a tool or software where we can monitor changes from specific help desk user on Active Directory.

Its been requested from higher up for the 1st Line analyst staff to be monitored when making any changes on AD, changes such as adding security groups/deleting users/resetting password  

Please advise

I need some guidance on how to make following change possible, never done this in past and would greatly appreciate everyone's help.

The current company I work for is changing the SMTP domain name from ABC.COM to XYZ.US following are the changes required:
1. Internal AD domain is not changing.
2. SMTP domain from ABC.COM to XYZ.US
3. Move existing mailbox from Exchange 2007 to Exchange 2013 (CAS role for Exchange 2007 is on separate Windows 2003 server)
4. Decommission Exchange 2007
4. Configure exchange for multiple authoritative domains.

We are currently running Exchange 2007 and want to get rid of it. We will have to go with Exchange 2013 since I cannot have Exchange 2007 and Exchange 2016 in the same environment.

How would I go about doing this change? For internal DNS I just need to add another forward lookup zone, right?
Please let me know if I am missing anything else?

Thank you
Hello experts. Our KMS server went down, and we need to bring it up in a new windows 2012 server. We were using vamt tool before. I have not configured a kms server before but do know how it works. Is there a good step by step how to document on configuring a kms server. If i connect it to the same sql database as before, will it pick up all the settings? Please advise, and thanks in advance
Hi Experts.   Can I get advice on giving a user domain admin like creds without making them domain admin?   They should have local admin privileges on all servers and can add/remove/change users.    

Two domains, one w2k8 and one w2k12 r2

Thanks in advance


Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software
Gil FeldmanMonday Learn more about Monday