Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

Domain naming master and PDC FSMO at random switches back to the secondary DC rather than staying with the assigned PDC. So i have to go back and change it to point to the PDC. Any reason why this happens?
Why Diversity in Tech Matters
LVL 13
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

How can i create a cname record to a web server that uses a particular port ?

I already have the dns record but i need to create a cname can i add the port number to the FDQN section of the cname?
i have to make some changes in office proplus
1)like disabling switch account feature on word office document

when you open word or excel -go to office -account- there is switch account feature. ( attached image)

i can disable through registry

which is mentioned below

1.Open registry editor and navigate to HKCU\Software\Microsoft\Office\16.0\Common\Licensing
2. Right click on Licensing key and select DWORD 32 value:
3. Rename it to: HideManageAccountLink
4. Change the value to: 1.

but i am looking how to configure same through group policy, i found this link , will this work


Disable Microsoft Accounts

To disable the ability to link domain and local computer accounts to Microsoft Accounts, open the Group Policy Management Console (GPMC) on Windows 8 or Server 2012 using a domain account that has permission to create new Group Policy Objects (GPOs).
•In the left pane of GPMC, expand your AD forest and domain.
•Right-click the Group Policy Objects folder and select New from the menu.
•In the New GPO dialog, name the GPO Restrict MS Account Linking and click OK.
•Click the Group Policy Objects folder in the left pane.
•Right-click the new GPO in the right pane of GPMC and select Edit from the menu.
•In the Group Policy Management Editor window, expand Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
•In …
We have moved machines from domain Alpha to domain Omega (mock names).  Anyway, we removed the windows 10 computers from the domain to a workgroup, restarted the PCs Win 10), joined them to the new domain, 'Omega'.  They join fine.  Users logon and it seems good.  However, they cannot map drives to the file server 'Data' on the domain.

Also, on the machines, that have the issue, when they ping the DC or file server, it is appending the old domain to the response.  There is only one DNS server currently in the new domain being set up.  Roughly half of the users have no issues and can map drives and surf the web.  The other half has a problem mapping drives, locating local devices and can surf the external internet sites.

I'm not seeing anything on the DNS side.  One machine effected, I have looked at the registry and found several keys referring to the old domain lingering.  I removed them and fixed the ping issue.

Ideas on a course of action?
Currently we have a DMZ with some external facing web servers that are only available from the outside world via port 443.  The SQL instance for the back end of this application is on a server that is in a trusted LAN with only holes poked in the firewall between the DMZ and the trusted LAN for Active Directory, SQL, DNS and some others used for a managed Antivirus client installed there.

I am under the impression that joining these web servers to the internal windows domain is less secure that if we didn't join them to the domain.  Right now I am testing a new web server that is not part of our domain and I am having trouble getting the web server to access the database on our sql server (integrated authentication) which is part of the domain.

I realize we can use sql authentication but I understand there are some risks involved there as well.  I have tried adding a local user to both servers as if both where part of a workgroup to no avail.  Any other thoughts here?

I was also contemplating doing a RODC in the DMZ (or possibly in the trusted lan and use firewall rules to direct all AD traffic to that server).  The final idea I had was setting up a new forest in the DMZ and establishing a trust relation ship between the new forest and the internal forest.

Any thoughts or experiences welcome.  Thanks!!
I have a CSV file with an "email" column. This won't necessarily match a UPN of an AD user, but it should be contained in the proxyAddresses attribute of a user in AD. If not, then I'm looking to get that reported into a variable/separate list if possible.  
It appears I can get all the users in AD where "$proxyAddress -contains $" but I can't reverse and do a -notcontains.  
Is there any idea how I can achieve this
My coworker and I are at odds on the correct way to upgrade our DC.

What I've learned, but never had to promote a new DC, was to use DCPROMO. To promote the new server and then demote the old server.

I would like to install windows server 2012 r2 add it to the domain and promote via dcpromo.exe.

He's been at the company longer(10+ years, I've been here for 2 months) and thinks it's better if we use his way. We use a Datto for snapshot backups of the server. He thinks it's best to do a bare metal restore from the Datto to the server. We are also in a fail over clustered environment if that makes a difference.

The server is a Gen 3 HP from 2010. The new server is a gen10 from 2019. I told him that it's too great of a time period between servers that a fresh install is best. He says that our DFRS, DNS, DHCP won't be transferred over to the new DC. I've told him that EVERYTHING is transferred over with DCPROMO.

I spoke with the Director and he says we need to figure this out, laughed and walked away.
Now, this isn't going anywhere, so I'd like to get some feedback from seasoned system administrators.

Thank you,
Have a client running Outlook 2013 with multiple add-ins, and some keep disappearing. They are not showing as being auto-disabled (for speed, etc by Outlook), then add-in checkbox is simply unchecked. When we recheck it, they will work for  while (sometimes), then turn off again. There a no alerts or messages when this happens.

However, when Outlook is run as Administrator, everything always comes up fine. It is does not matter if the user logged into the machine has admin privs or not.

There is no specific group policy in place that allows or disallows certain add-ins, and the AV has been disabled with no effect.

Also, this happens on both Win7 Pro and Win10 Pro installations running Office 2013.

Anyone have ideas on this?
I manage an active directory domain at the Windows Server 2012 Domain and Forest functional levels with two replicating DCs.  This domain was first created as a 2000 AD domain, and then migrated to Windows Server 2003, then migrated to Windows Server 2008 R2, and then again to Windows Server 2012.  So the AD domain has been active for about 20 years now, and I am concerned the domain may now have a lot of extra baggage that is no longer needed or even applies.  Our environment has also hosted Exchange NT Server, Exchange Server 2003, and now an Exchange 2010 server.  We plan on moving to O365 as well. I do not plan on O365 mailboxes integrated/managed by AD.  We are looking at no more than 20 mailboxes.

I also believe AD now employs more secure channels of replication that needs to be manually applied, and was not automatically applied during the 2012 AD level migration.

Later this year, I will purchase a new Windows Server 2019 server that will host a new DC. My understanding employing a new 2019 server as a domain controller only allows functional levels at 2016 domain and forest functional levels, so there is no 2019 domain/functional level option.  

So I have two options:

I have the choice of migrating the existing AD domain again to the 2016 functional levels once again of which is pretty easy and not much fuss.

Or, I can go ahead and setup a brand new 2016 AD domain/forest with a 2016 Server as a replicated DC, and 2019 server functioning as the primary …

I have two domains in different forests:
Domain A and Domain B

A bidirectional trust relationship has been configured between the two drills to allow Domain A users to connect to Domain B.

I want to automate the synchronization of users, groups and password.

When I create a user on Domain A the creation on Domain B will be done automatically as well as the synchronization of the password.

I tried with ADMT it works against it is not automatic.

Do you have a way to make automatic synchronization from ADMT or another free software that does.
Thank you
CompTIA Security+
LVL 13
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

We currently have an offline Windows 2012 R2 root CA and Windows 2012 R2 subca which issues certs to users and workstations. Both CA's certs are coming up for renewal at the end of the year. Is it possible to use a files when renewing the certs to set the CA's to issue all auto enrolled certs as san certs?
Need to write back to AD from SharePoint 2013 User Profile service so that we can update Mysites and those selected properties can update AD
i've an issue in my environment as i consider it is a bug that my ex-manager decided to cancel the policy of changing the password for users every 42 days. and now we need to reactivate it again but i'm asking about the effect when i do that because we've 650 users. i'm asking if i activate this policy does it let all users change their password immediatly or it'll count 42 day and let users change it? my domain is win2012r2 and 2016

We recently stepped into the light and virtualized our environment. I was told that doing a p2v on a domain controller was not recommended. I was wondering if that is the case? I have a physical 2008 R2 server that is a DC, NPS and a Certificate server which is used for my wireless environment using Radius which EE helped me to set up and configure and works great.. I would like to virtualize this if possible. We had an outside company do the virtualization. For the DC they created a couple of VMs and made them Domain Controllers and transferred over the FSMO roles from the physical to the virtual. It has been a few months now and everything is running fine. We still have three physical servers because of their AD roles. What can I do about those?
I'm running a Samba Active Directory domain with Ubuntu 18.04 clients.

I used the This Guide  to map local groups to domain users. It involved editing the following files...

    root@testpc:~# cat /etc/security/group.conf | sed '/^#/d'


Open in new window

    root@testpc:~# cat /usr/share/pam-configs/my_groups
    Name: activate /etc/security/group.conf
    Default: yes
    Priority: 900
    Auth-Type: Primary
            required               use_first_pass

Open in new window

    root@testpc:~# DEBIAN_FRONTEND=noninteractive pam-auth-update
    (I.e. no error...)

Open in new window

It seems to only work when I ssh as a domain user, but not when I  su - user  or do a local login (even though the local login is via the domain).
I.e. If I login via ssh as the user, the dialout group appears fine...

    rightmire@localPC:~$ ssh rightmire@remotePC
    Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-46-generic x86_64)


    68 packages can be updated.
    43 updates are security updates.

    rightmire@remotePC:~$ groups
    domain users dialout master BUILTIN+users 

Open in new window

But if I su - rightmire, it does not appear...
    root@remotePC:~# su - rightmire
    rightmire@remotePC:~$ groups
    domain users master BUILTIN+users domain admins denied rodc password replication group staff konstrukteure vicongroup h2t rightmire

Open in new window

...AND users who login locally, but are still logging in as a domain user, and not being added to the group.

We have as part of our group policy a setting to insert certain shortcuts onto everyone's desktop. If a user logs into 1 pc they get the icons. If they login to a second pc they get a second set  of the same icons. This will continue for every pc they login to. The issue is that as we use OneDrive to keep and sync our Desktop files and folders, each pc will get multiple copies of the same icons.

Internet (1)
Internet (2)


Can you please tell me how we can prevent this from happening?
Last year we did a few things starting with:
Next, one of the Experts engaged in a planning task for us that was tailored to our particular situation; the result was an outline of an approach that makes sense to *me* and I'll be revisiting that soon.
Next, I set up a test lab with Windows Server 2016 Hyper-V VMs.  Not that I *plan* to have two servers per site but that I *anticipate* the possibility.
That's going to be revved up now and I'll probably configure a 2-subnet arrangement with a DC out of the 2 VMs on each.  That will do a pretty good job of emulating the real environment.
(I'm a rather great believer in partitioning machine roles and in keeping things simple to understand as much as is possible).

Some had asked what we are trying to accomplish:
- We aren't trying to implement file serving up front because we already have a pretty good system set up for that and it's not the focus.  BUT, I'm willing to consider it.  And that's the purpose of THIS question.
- We need to provide User and Access controls - that's the focus.  And, I'm hoping to grease the skids for things like SIEM that we now do sans-server.  Keeping individual machines "connected" either passively or with agents still proves to be challenging.  There are always a handful of machines that don't respond - even after ALL the machines have been made responsive.  I suspect Windows updates more than anything has …

I am currently "taking over" an old installation based on Win 20018R2 server and W7 workstations - We are migrating to Srrver 2019 and Windows 10.

A "plain vanilla" site and not my first rodeo so I did not expect much hickup... still...

We now have the new server 2019 joined into the domain and running AD DS. I have already moved the operation master roles without issues and was about to go further but ran a routine DCDIAG on both servers. There were a few minor issues (like time not being in sync) but there is one that worries me on the new server:

Microsoft Windows [Version 10.0.17763.437]
(c) 2018 Microsoft Corporation. All rights reserved.


Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = SERVER2019
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SERVER2019
      Starting test: Connectivity
         ......................... SERVER2019 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SERVER2019
      Starting test: Advertising
         Warning: DsGetDcName returned information for \\OLDSERVER.domain.local, when we were trying to reach
         ......................... SERVER2019 failed test Advertising
      Starting test: FrsEvent

Open in new window

I need to write down automated tests for a website.

There are countless tools / frameworks but before even starting I need to understand how to tackle the authentication challenge.

The website has automatic authentication using Windows Domain (Kerberos) but I don't know how I can use a test tool and allow a specific domain user to be the one running the test (and, therefore, the browser).

Can you maybe provide a solution or point me in the right direction?

Thanks for your help and patience.
Amazon Web Services
LVL 13
Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

I have a domain controller Windows 2012 R2 and Windows 2016 and I am trying to find out who added DNS A and CNAME records to the internal DNS zones.

Is there a way to accomplish that?

for example, user firstname.lastname added record "wrongdns" in zone "" ?
So I have installed a program on my laptops for students they have HDD access but for some reason they cannot see the installed program they cannot even search for it. Also all of the end users cannot see  any of the app in the C:\Users\Public\Desktop. Is there a Group Policy that I can edit in order to allow the end users to see all programs and anything that I drop in the C:\Users\Public\Desktop? We are running win2k12 server sys pack 2 with active directory.
hi there ,
is there a generic  powershell script to add to a large windows file share to add an active directory group to a large sized file share shared from a unix device called a nexstor , but the folder permissions will be  via NTFS , so basically we would need to add this AD group to the share via powershell , is this available ?
Hello all,

Probably some of you have already experienced that so could you help me ?

Im in a project and we are migrating windows 7 to windows 10. After the migration, map drivers are disappearing . Some considerations :

1 - In windows 7 it is not happening.
2 - Map drivers are being applied by GPO
3 - Map Driver GPO is set as Replace and Reconnect field are not checked.

Could someone let me know if it is a known Microsoft issue and if there is a solution or even a good workaround ?

Thanks and Regards.
Environment: Exchange 2013 SP1


This morning we realized that our Public Folders are no longer working.  When trying to expand them in Outlook, we get:
Cannot expand the folder.  The attempt to log on to Microsoft Exchange has failed

Looking in the Exchange Admin Center, it appears as if the Public Folders were just nuked:
If I try to create a new random "Test", I get this message:
Looking at Exchange Logs, I see the following happened a couple times yesterday morning:
Any thoughts on where to look?  What's interesting is that if I go to Servers-->Databases, it shows the public folder database "PFDB" is mounted and healthy.
Thank you so much for your time.
My Documents Redirection GPO does not seem to be working.  I have set up a GPO to redirect user documents from their Windows 10 desktops to their Home Folders on the main server.  I set up each user profile to point to \\servername\HomeFolders$\%username% and the My Pictures, Videos, etc. show up when they log on for the first time in the home directory.  However, if I place a test folder in the local Documents folder on the user desktop, it does not appear on the the server side.  If i look at the properties of the user Documents folder on the workstation, it is still pointing to the C drive.  Any assistance would be appreciated.

Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.