Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

1 Active Directory domain
3 sites
4 Domain Controller’s 2012 version.

3 ADFS 2.1 servers hosted on 3 DC’s with Network Load Balancing over 2 sites
2 ADFS 2.1 proxy servers hosted on 2012 non domain servers in the DMZ with Network Load Balancing over 2 sites.

Domain needs to be upgraded to 2016 as do the ADFS server farm to remain current. There is also a desire to host a DC in Azure or alternatively utilise Azure AD and reduce the amount of hardware on-site. Existing SSO configuration, O365 and SAML 2.0 configs, must maintain functional throughout.

Can you outline an upgrade or migration path and highlight any potential risks?
Free learning courses: Active Directory Deep Dive
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.


Can anyone here please assist me with adding all of my Exchange 2013 CAS server roles from the same AD domain to the Source Server below:
Send Connectors
From the picture above, there is just one old CAS server that I will be decommissioned PRODEXC14, so can I add PRODEXC42 and PRODEXC01-VM to give more resiliency in case one of the exchange servers is rebooted or shut down for maintenance ?

Here’s my Exchange Server deployment in the Single AD forest domain:

Name         Site                                                      ServerRole            Edition  AdminDisplayVersion        
----         ----                                                      ----------            -------  -------------------        
PRODEXC14 Mailbox, ClientAccess Standard Version 15.0 (Build 1130.7)
PRODEXC42                      Mailbox, ClientAccess Standard Version 15.0 (Build 847.32)
PRODMAIL1-VM              Mailbox               Standard Version 15.0 (Build 847.32)
PRODEXC01-VM Mailbox, ClientAccess Standard Version 15.0 (Build 847.32)
PRODEXC43-VM                      Mailbox               Standard Version 15.0 (Build 847.32)
PRODMAIL2-VM              Mailbox               Standard Version 15.0 (Build 847.32)

Open in new window

Is my assumption correct to allow outbound email flow resiliency with adding the remaining CAS (Transport Service enabled) servers to the Source Server lists ?

I hope there is no need for reboot or restart after adding the additional servers above.
Hi All,

I'd like to use Windows 10 VM (latest Creators Update 1703) to run a special BI software (Workstation Edition).
I wonder what's the limitation or caveats when I also install the SQL Server 2008 R2 Std. Edition on this Windows 10 VM ?

The reason I cannot use Windows Server is that the BI software cannot be installed on Windows Server OS.

I also need to run the reporting service on this Windows VM.

Windows 2012 R2 DC's two Domains Parent and Child.

I created a new GPO for Folder Redirection on my Windows client machines Windows 10 Windows 8.1 and Windows 7

When I do a gpresult /r  I see that the GPO has been applied

The problem is that the security group which is in the scope of the GPO does not appear in the section "The user is part of the following security groups"  

When I do a "whoami /groups"  I see the security group that is missing

when I run gpupdate

Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

The following warnings were encountered during user policy processing:

The Group Policy Client Side Extension Folder Redirection was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.

For more detailed information, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

So I run this gpresult /h gpr.html      

Folder Redirection did not complete policy processing because the user needs to log on again for the settings to be applied. Group Policy will attempt to apply the settings at the user's next logon.

Additional information may have been logged. Review …
I have two domain controllers.  How does Azure AD Directory Sync works?  Should I install it on both DC's and have one enabled/one disabled?  If one DC tanks, enable Dir Sync on another one?  Or do I enable both?
Does anyone know how Azure Directory Sync works?
Windows Authentication functionality for MariaDB running on a Windows Server.
Basically, a user should be able to access MariaDB ( running on a Windows Server) using their Windows Active Directory credentials. similar to MS SQL Server. Is there a solution available for this? any information and steps to achieve it is appreciated.

Hi guys

I have assigned the PDC Emulator role to a new DC. I have then configured the NTP external source on such new PDCE server.
I now noticed that I did not change this setting on the other DC (Windows Server 2003) , which is still a DC but no longer a FSMO role holder.

What's the best practice here ? Should I avoid that the former PDCE uses the external NTP time source ? I believe it should get the time from the new PDCE, right ? Any problems in leaving this DC it as is ?

When my company's Active Directory domain was first established, before my time, my predecessor installed a certificate server, this was back in the days of 2003.  In about 2009 due to the age of the machine and the fact that we never used it, or so we thought, we simply turned it off.  About three weeks later our domain fell over as none of the domain controllers would talk to each other, or so it seemed. Fortunately we hadn't done anything with the certificate server and switching it back on resolved the issues we were experiencing.   After that we upgraded it to 2008 R2 and even virtualised it, unwilling to remove it from the domain.  However it's a 32 bit machine and we can't upgrade it further.  We also don't use it, none of our systems as far as I can tell are configured to use it and our websites etc. are all secured using external SSL Certs.   When we look at the certificate server it has not issued an actual certificate for years, there are non active and to be certain we revoked all 'live' certificates.  

So my question is - if we remove the certificate services and then demote the machine out of the Domain is this safe and will our domain continue to function or will it fall over again like in 2009?  We don't particularly want to run with a certificate server on the domain but if one is required is it easy to migrate services from the old server to the new?

Many thanks for your time and patience

Hi All,

Can someone please shed some light and the steps of how to install the wildcard SSL certificate *

1. Replace/remove the expired SSL certificate on my multi roles CAS/MBX servers?
2. Install the SSL certificate on MBX server role only ?

Because when I login to the ECP, I got notification for invalid certificate and I also notice that I forgot to install the Wildcard SSL certificate on my mailbox server that runs as Passive Mailbox DB DAG node.

Is there any outage in doing the steps or no outage is required.

Hi all

- Exchange 2016 CU5
- IIS configured OWA logon with UPN

When I force a AD user to change the PW, it does not work when i Login with UPN.
When I use the netbios name (domain\username) it immediately works.

How can I solve this issue?

Many thanks
regards Teggra
What does it mean to be "Always On"?
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Hello experts, I'm trying to figure out how to create a shortcut to Active Directory on my Application server.  When i go to MMC & add snap-in from another computer (DC) i don't see AD snap-in.

Please advise.
I am looking at implementing some sort of domain solution for a small/medium business comprising of 20 offices, each with about 5 Windows PC's in each and a head office of about 30 PCs. There is currently no domain in place and instead use local user accounts to manage file shares etc. The  offices are currently standalone with no VPN between the sites. Can someone suggest a cost effective solution for introducing a domain controller/s for this kind of setup. My initial thoughts are to setup a domain controller at the head office and a VPN to the branches, or if there is a cloud solution that may do the job? Has anyone come across a similar setup to this or have any recommendations?
Dear Experts,

I need your opinion on this question we have. Currently We host a SaaS environment for our customers. Due to a lot of legacy our SaaS environment is connected to the same domain controllers as our internal network and computers. Everything is very open and security is becoming a real issue. Now the question we struggle with, what is the best thing to do.

1. We completely separate our SaaS environment from their current domain. Create a new domain with its own forest. Only the administrators get a username and password in this new forest. This will make sure none of my employees can access the SaaS environment without an administrator knowing about it (which is what I eventually want to achieve).

2. We keep the the SaaS environment and our own network in the same domain and forest, and we block any access for my users to the SaaS environment based on firewall rules, leased privileged user account, and audit policies.

I don't quite know what the best option is, both bring a lot of configuring and after work hours to implement. We just want a secure environment for our customers which is compliant with ISO 27001.
I have run the following script.
Since then, I have both a H: drive and a Z:drive pointing to the same network share (user share)
I do not understand from where the Z: is coming. I have check the mapping algorithm and nothing about a Z:
anything linked to something else in AD?

On the AD profile of the user it's a H: which is specified.

any idea? I would like to remove this Z: drive as it's duplicate with my H: drive.

Tks for feedback.

script in attached
Hi all,

I would like to know if it's possible to customize Active Directory New user wizard in order to redirect each created user to their associated Organizational unit.

So for instance if user A has principal name, when created the user A will automatically be created under OU
And so on for the rest of users, and if it's not possible to customize User creation, Is it possible for this to be done through GPO?

Dear Team, I got this error when imported PST to Exchange 2016 from NAS Synology, we set Full permission of folder, file to Everyone but did not help.

Env: Exchange 2016, Win Server 2012R2, NAS Synology 2416+

Does anyone know how to fix it?
Hello Experts. I am interested in updating the infrastructure docs for my company. We have 2 way forest trust with our parent company...I know there are tools out there that can basically map your environment for you, which you can then open via Microsoft Visio, are there any good free tools that i can use? Thanks in advance

We need to enable complex password in our small organization.  I am creating a test GPO:

Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy

and enable complex password, max password age 90 days, min password age 30 days, 8 characters.

How do I configure such that when the user login next time, they need to change to a complex password?

Another important question, we have a lot of service accounts and we cannot change their passwords to a complex password overnight.  How can this be avoided in the first round which is to change the users first?

Our AD is in 2008.  

Dear guys, we have multiple free, old servers and are thinking of utilizing them for business, but not sure what and how. Can anyone who have experience give us some ideas please? Many thanks as always.
Enroll in August's Course of the Month
Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

In our environment, secure zone refers to internal zone which hosts the critical backend systems
while DMZ hosts the more 'exposed' systems.

We got an audit finding that supporting infra systems (like SCCM, WSUS, NTP, our internal Vulnerability
Assessment scanner) should not store authenticators (I assume this refers to credentials) of the
critical systems (critical financial systems that transacts huge amount of $) that are hosted in the
non-DMZ (ie secure) zone.

Well, SCCM (which we use to deploy PCs patches & collect info from them & these PCs include PCs
used to make/process large payments) & WSUS (which deploys patches to all servers include the
critical/sensitive servers)  will need to have access to those critical systems to be able to deploy
patches.  Any idea if SCCM/WSUS store authenticators ?    We place these systems in our DMZ;
should we place them in an isolated/more secure zone?

I presume when SCCM/WSUS is compromised, hackers could access the critical PCs & serrvers
via these tools?  If so, what are the mitigations?

We also have Cyberark tt we lodge admin IDs of critical servers in them?  if this Cyberark server
is hosted in DMZ, what's the risk?  What are the mitigations?  The vendor who help us set it up
suggested to place it in DMZ (so that we could access via Internet to approve access requests):
is this risky & what are the best practices to mitigate?  I'm inclined to think these vendors are
seasoned in selling …
by mistakly I deleted one object please let me know the recovery
I need a Power Shell script that will generate a .CSV file that when viewed within Excel will show all user's Active Directory logon names (in column A) and the date that user's AD password was last changed (in column B).
Hi, We have picked up a new client who doesn't have any password policy in place on the AD.
We've arranged to setup one that changes every 90 days, etc.
I have a concern for remote users who have a phone or outlook connected to the exchange server

the policy will be setup to have a minimum age of 90 days and maximum of 105 days

My query is, if we enable the group policy one evening and for arguments sake, the workstations have the new GP enforced on them straight away. When the users come in the following morning, the system will obviously ask them to change the password.
What will happen to users who are on the road that day. Will there phones stop working or will the system allow some time period until they have to reset it.

what  I don't want to happen, is that we enable the policy. and people who are in the office get locked out or have some hassle receiving mail.

hope that makes sense
Please provide me with the correct Power Shell script that will change each user's AD password based upon a .CSV spreadsheet.

This .CSV script will have two columns with column A containing the user's AD SAM name (logon username) and column B containing the password that each user's AD logon username should be changed to (see this .CSV file below).

All of these AD accounts listed within column A already exist within Active Directory. I just need to create a Power Shell script that will run, read each AD username, and then change this username's AD password to the password shown in column B.

Column A for the AD username is named SAM. Column B for the AD password is named Password.

If you have any questions please let me know.

CSV scriptCSV-script.csv.xlsx
What is the power shell command that can be run that will generate a .CSV file list of all Server 2016 AD User Logon names (see the screenshot)?

I need to be able to import this .CSV of user logon names into an Excel spreadsheet where all usernames will be listed in column A.


Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software