Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post


Some of my Outlook client user does not receive the Exchange Proxy settings like in the below picture.
Outlook Anywhere Proxy
So how do I ensure that all of the newly build computer is able to connect to the Exchange server using the Autodiscover service ?

I’ve set the below already for all of my CAS servers:

CAS Autodiscover URI
Set-ClientAccessServer -Identity SERVER-NAME -AutoDiscoverServiceInternalUri ""

Open in new window

Outlook Anywhere
Set-OutlookAnywhere -Identity "SERVER-NAME\Rpc (Default Web Site)" -InternalHostname "" -InternalClientAuthenticationMethod Ntlm -InternalClientsRequireSsl $true -IISAuthenticationMethods Negotiate,NTLM,Basic
Set-OutlookAnywhere -Identity "SERVER-NAME\Rpc (Default Web Site)" -ExternalHostname "" -ExternalClientAuthenticationMethod Ntlm -ExternalClientsRequireSsl $true -IISAuthenticationMethods Negotiate,NTLM,Basic 

Open in new window

So  I wonder what do I missed here.

Are your AD admin tools letting you down?
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

I recognize the official word from Microsoft is:

If a smart hosted SMTP Send Connector has multiple smart hosts defined, load balancing and fault tolerance are accomplished using these smart hosts.

but what does that mean.  Is there a round robin?  What does load-balanced specifically mean in this case?

Thank you.
Is there any scripts i can create where i can know the disk usage, memory issues of my 100 windows servers in my environment.

i am not talking of monitoring software or SCOM but some basic scripts (windows powershell) which i can run through task scheduler

on one of my server.
My domain controller hung up today. Even though the system was up, all services were unresponsive except for DNS (since it was responding to nslookup queries). I wanted to RDP into the box but it hung on "connecting".
After hard rebooting the box, I filtered through the event viewer but there are so many events that I got overwhelmed.

Can someone help with any idea on where to start troubleshooting?

By the way, my domain controller is a Windows 2008 R2.

Thank you!
Hello All,

I am creating a check list to verify replication and functionality on my domain controllers.
What could be the items that I can quickly check on a daily basis that will verify optimal functionality and replication amongst my domain controllers?

My Domain controllers are Windows 2008 R2.
Hi All,

what's the purpose or benefits when joining ESXi host to Active Directory ?

and what's the caveats or risk involved.

About a year ago I decided to move us from Exchange 2010 On-Prem to Exchange Online.  Due to some peculiar circumstances, I had to go to Exchange Hybrid first (keeping my Exchange 2010 On-Prem) until I could wrap up a few user accounts.  I'm now ready to go ahead and finish migrating to Exchange Hybrid, fully getting rid of Exchange On-Prem.

However, the last MS rep I spoke with stated that due to having a local AD, I need to keep the On-Prem Exchange server but couldn't give me a good reason.  

I really would like to be fully Exchange On-Line and am looking for opinions/thoughts from others.  Do I need to retain the On-Prem Exchange server?  Can I decom it with minimal issues?  If so, any recommendations for the best path to do this?


I am removing an old domain controller. I see that default-first-site-name has the same value as the name of the domain controller I am removing.  What is default-first-site-name?  Does it matter that it has the ISTG is the same name as the domain controller I am removing?
Looking for some guidance on this.

One of our customers has an ADTRAN Bluesocket WiFi device set up for wireless in a school.

Currently the users have to be manually added to the ADTRAN so that they can have WiFi access.

I'd like to be able to integrate the ADTRAN with AD so that users in a specific OU or OUs can have WiFi access.

I'm looking at the Bluesocket Admin Guide on pages 107 - 111.

Is this what I'm looking for, or am I off base?

If I'm not looking in the right place, I'm looking for someone with some experience who can point me in the right direction.

This is a project that was assigned to me where I have the AD experience, but not the ADTRAN integration.


We would like to remove AD RMS from documents but are unsure what documents are protected.
If we decommission the service it will leave sensitive documents unlocked for all users to access.
Is it possible to scan to see what documents have RMS enabled?

Announcing the Most Valuable Experts of 2016
Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.


I was trying to migrate one user from parent domain to child domain but I am getting the below error:

[Object Migration Section]
2016-05-24 19:52:25 Starting Account Replicator.

2016-05-24 19:52:30 ERR2:7525 Failed to connect to server. This is the DC with the RID Pool allocator role in the source domain. It is required for move object operation to work.  The specified server cannot perform the requested operation.

2016-05-24 19:52:30ERR2:7420 Failed to connect to domains for MoveObject, hr=8007003a  The specified server cannot perform the requested operation.

2016-05-24 19:52:30Operation completed.

I am able to ping to the the source domain RID master from the target domain and also nslookup resolves the server name. All ports are open between the servers in both domains. My account is a member in domain admins group and also local administrator group in both domains. Could you please help with this?

Thanks in Advance,
Hi All,

Suppose I'd like to add the existing production mailbox database copies from one server to another, does the below PowerShell is correct ?

These are the below Exchange Server 2013 Standard Edition that I've got:

AD Site:Default-First-Site-Name
PRODMAIL20-VM [Mailbox & CAS]
C:\ OS - 200 GB
D:\ PRODMAIL20-VM-DB01 - PRIMARY [DB & Logs] 999 GB
E:\ PRODMAIL20-VM-DB02 - PRIMARY [DB & Logs] 999 GB

AD Site: Head Office
PRODMAIL30-VM [Mailbox & CAS]
C:\ OS - 200 GB
F:\ PRODMAIL30-VM-DB01 - PRIMARY [DB & Logs] 999 GB
G:\ PRODMAIL30-VM-DB02 - PRIMARY [DB & Logs] 999 GB

#Adding Mailbox DB copy and manually start the DB replication after hours
Add-MailboxDatabaseCopy PRODMAIL20-VM-DB01 -MailboxServer PRODMAIL30-VM –SeedingPostponed
Add-MailboxDatabaseCopy PRODMAIL20-VM-DB02 -MailboxServer PRODMAIL30-VM –SeedingPostponed

Add-MailboxDatabaseCopy PRODMAIL30-VM-DB01 -MailboxServer PRODMAIL20-VM –SeedingPostponed
Add-MailboxDatabaseCopy PRODMAIL30-VM-DB02 -MailboxServer PRODMAIL20-VM –SeedingPostponed

Open in new window

# Resume replication afterhours
Resume-MailboxDatabaseCopy -Identity PRODMAIL20-VM\PRODMAIL20-VM-DB01
Resume-MailboxDatabaseCopy -Identity PRODMAIL20-VM\PRODMAIL20-VM-DB02
Resume-MailboxDatabaseCopy -Identity PRODMAIL30-VM\PRODMAIL30-VM-DB01
Resume-MailboxDatabaseCopy -Identity PRODMAIL30-VM\PRODMAIL30-VM-DB02

Open in new window

# Suspend replication afterhours
Suspend-MailboxDatabaseCopy -Identity PRODMAIL20-VM\PRODMAIL20-VM-DB01
Suspend-MailboxDatabaseCopy -Identity PRODMAIL20-VM\PRODMAIL20-VM-DB02
Suspend-MailboxDatabaseCopy -Identity PRODMAIL30-VM\PRODMAIL30-VM-DB01
Suspend-MailboxDatabaseCopy -Identity PRODMAIL30-VM\PRODMAIL30-VM-DB02

Open in new window

Because I get confused myself since the Exchange Console GUI must specify Number in the Activation Preference number.

WHat's the best way to specify that number for all Passive copies of mailbox database ?
I have 3 Domain Controllers, all running windows 2K12R2.  Up until this weekend, I really haven't had any issues, but something started this weekend, and know I'm getting alerts almost on an hourly basis, sometimes every few hours, that different accounts are locked out. I'm using Netwrix account lockout examiner, and it doesn't tell me on what workstation the account was locked out.  So something is causing a lot of different user accounts to be locked out, or reach the threshold to be locked out.

Does anyone have any ideas how to start troubleshooting this problem?  Also, I noticed that there's a workstation called "rdesktop" listed in the account examiner, but that workstation does not exist on my network.  How can I find a computer that doesn't exist?

Hi All,

Can anyone here please assist me in troubleshooting as to why my Outlook Web Access is randomly signing me off while reading or typing email ?

I also cannot access the below OWA option with HTTP ERROR 500:
Change OWA Account settings:
Change AD Password:
Enable OWA Add On:

However, when I manually type in the Public IP address or the server name instead of, I can access the server with no problem.

This is my current deployment of the Exchange Server 2013 Standard Edition in my domain:

AD Site: Default-First-Site-Name [old CAS & MBX server] [new CAS & MBX server]

AD Site: Head_Office [CAS & MBX server] [MBX server]

I have just created multiple A Record for and pointing to my existing 3x CAS-MBX Exchange 2013 server roles.

Public DNS (A) records Round Robin: – Public IP address of PRODMAIL14, PRODMAIL20-VM and PRODMAIL42-VM – Public IP address of PRODMAIL14, PRODMAIL20-VM and PRODMAIL42-VM

Internal DNS (A) records Round Robin: – Public IP address of PRODMAIL14, PRODMAIL20-VM and PRODMAIL42-VM
while migrating windows servers from domain A to domain B under same forest, what tools do we need to migrate

like for files and application or anything else to be considered?

is the situation different when migrating applications and files across cross forest scenario.

Does the role of DFS comes in picture
Hello. I have an msi that I need to have installed on our computers via group policy. I am going to install it via gp but I would like to look for a way that it will run without admins needing to touch each pc in the policy or making the users have to run something themselves. Can someone provide a step by step to deploy this msi including any switches or scripts that would be needed. I am not a GP expert nor do I know how to script these out, just looking for the easiest and quickest way to install a outlook add-in msi on our user's computers. I realize we can do this through a user or computer policy so whichever way is easiest please let me know. Thanks for your help experts.
I am moving a customer from a 2003 server with AD installed to a NAS drive. There are only 3 computers that access it. In the past I have used the tool Profwiz to convert a domain account into a local account and vice versa. Is there a better way to do this? One thing I don't like about this tool is that all it really does is create a new account and redirect all the folders to the other accounts directories.


I'm using Exchange Server 2013 SP1 Standard Edition on my AD domain. My users are still using Public Folder extensively, however, sometimes I have found that notes that I leave on the business cards under clients in Public Folders disappear when they are revisited.

This is very frustrating because when other team members need information from these places, they are not completely up to date.
Can you please assist me in what steps can I troubleshoot this problem ?
We are running two DC's and have a user account that continues to get locked out of their primary system.  Netlogon debug shows the following:

07/23 22:47:43 [LOGON] [20080] xxx: SamLogon: Transitive Network logon of (null)\user from Rdesktop (via DC02) Entered
07/23 22:47:43 [LOGON] [20080] xxx: SamLogon: Transitive Network logon of (null)\user from Rdesktop (via DC02) Returns 0xC000006A
07/23 22:47:44 [LOGON] [34652] xxx: SamLogon: Transitive Network logon of (null)\user from Rdesktop (via DC02) Entered
07/23 22:47:44 [LOGON] [34652] xxx: SamLogon: Transitive Network logon of (null)\user from Rdesktop (via DC02) Returns 0xC000006A

Corresponding Event Viewer entries
The computer attempted to validate the credentials for an account.

Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:      user
Source Workstation:      Rdesktop
Error Code:      0xc000006a

I have removed the user account from the system and put back on and continue to get the error.
Online Training Solution
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

I have 1 forest with two DCs. Sysadmin added new one for our DR site. Since then we are facing issues in AD that all new objects are getting created in DR additional DC not default site DCs. In addition replication is so slow. Even though the site link is 100 MB Layer 2 network. So I dont have issue with speed.
I didnt work in Windows environment for a while. I created a lab simulating exist scenario and I realized that once I delete the subnets everything works fine. Do I really need to configure the DR DC in another site. since I dont have and WAN speed issue I can replicate in real time. ? So my question what will happen if I deleted subnets in my production environment the impact?
We migrated a company from On premise Exchange 2010 to Office365 and had DR Sync working. Everything went OK.
We then uninstalled old Exchange server (need to decommission  server from service, don't need it as we are on Cloud) and as soon as we did this we lost the ability to end outbound emails as they started to come in from instead of
So we dialed our Exchange Cloud consultant who says following and now it has me very concerned (as he contradicted to what he said before
1 - to fix the issue we have to create new profile. This is bad as we would have to re-download OST file again, and bandwidth is somewhat slow. We really need to fix on premise outlook without new profile.
2 - he says that if I migrate to the cloud but want to keep Dir Syn I must keep on premise Exchange (is that true? what is a point of migrating to the Cloud?)
so I can not have Office365 setup and have ON Premise DC talking to it without also maintaining local Exchange server?
Hi Experts

I'm not sure I'm even going to use the correct terminology in this question. Please forgive me.

I want to query two different OUs on the same level. The queries below work independently but I need to combine them so that I end up with one recordset (which is sorted - but I know how to sort it).

1.   "<LDAP://OU=all staff,OU=birmingham office,DC=mertonhatfield,DC=local>;" & "(&(objectclass=user)(objectcategory=person));" & "name,title,distinguishedName,userPrincipalName;subtree"

2.  "<LDAP://OU=reception users,DC=mertonhatfield,DC=local>;" & "(&(objectclass=user)(objectcategory=person));" & "name,title,distinguishedName,userPrincipalName;subtree"

To clarify :

1.  mertonhatfield.local\birmingham office\all staff
2.  mertonhatfield.local\reception users

Please can you tell me how to combine the two?

Many thanks.
I have taken over the backup job. We have multi domain network, and each site has two Domain controllers. I run bare metal backup of DCs and this covers the system status. My understanding is that system status includes all AD object, schema partition, global catalogues etc.
I noticed that recent Exchange CUs update the schema every time when you apply. One day I may have to roll back incase anything goes wrong with schema.
1. If i do an authoritative restore at anyone of the DC (any site), Can I roll back to previous schema or I have to perform the restore at the server which hold FSMO not at any DC?
I would appreciate your comments and suggestions on this.
is it possible to get corresponding email attribute from object property of user

We have an internal windows active directory domain called We also have an external website called the same but it is hosted on an external cloud provider.

We have created a website on the cloud called This uses dynamic DNS.

I want to forward all DNS queries for to an external DNS server.

How do I do this?

We are using windows server 2008 (but the domain functional level is windows 2003)


Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Vendor Experts

Kevin StanushSystemTools Software Learn more about SystemTools Software