Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Share tech news, updates, or what's on your mind.

Sign up to Post

Is there a way via powershell/scheduled task, or software/app or other solution that we can see if a windows machine lost its trust with the domain?

Since it's a occurring issue at my job, I was hoping to execute something and generate reports to hand off to my Ops team

Thank you.
Success in ‘20 With a Profitable Pricing Strategy
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Hi -- I'm setting to set up a home AD network.  Got two computers (so far) and have installed AD and DNS on the server.  

Problem:  When I try to add the client to AD, I get the error: "An Active Directory Domain Controller (AD DC) for the domain, "the shire.local" could not be contacted. The error was: "DNS name does not exist."  (error code 0x0000232B RCODE_NAME_ERROR)

I did install DNS on the server, and added a reverse lookup record for the client (  Details:

1)  AD Domain = theshire.local
2)  Domain Controller (WinSrv2019) = Gandolf
3)  Client (Win10) = Frodo
4)  Both Gandolf and Frodo connect to the Internet via an xFinity router.
5)  On the router, I created static IPs for both computers:

- Gandolf (WinSrv2019) =
-  Frodo (W10) =
-  Router (xInfinity default IP) =

Should I drop back and punt...and set the IP for the Server to and for the client and just use a private network?  If so, how would these computers be able to connect to the Internet for updates?  I could add the router's IP as the Gateway...

Thank you!
I have a service account called operator In our active directory

But doesn’t see under active users in office 365

I need to create mailbox and assign license

How can I do
Hi Experts,

I am in a migration phase and I need some help please.

I have running an ADMT server and this server was working since end of 11.2019.
But now I have a problem to select the source domain when I like to migrate some users.

ADMT is unable to connect to domain controller....Access is denied.

Open in new window

The trust is tested and ok.
The user is a domain admin in both forests.
The servers are reachable via PING in both directions.
The local firewalls are disabled on both servers.

Do you have any ideas ?
Hi Experts

Need a little advice on a DFS Namespace issue:


I bought up a new Server 2016 and robocopied all files from old 2008 Server to new
Installed DFS feature on new
Added new server as new targets and removed old server targets.
Powered down old server and all namespaces stopped working

Powered old server back up and they started working again.


DFSDiag /Testsites /Machine:NewServerName
Success: The site associated with the following host name is consistent on all accessible domain controllers: NewServerName

DFSDIAG /TestSites /dfspath:\\MyDomainName\filestores /full

Success: The site associated with the following host name is consistent on all accessible domain controllers: OldServerName
Validating the static site association by accessing the registry.
Success: The static site-association of the following host name is consistent with the site-association in Active Directory Domain Services (AD DS): OldServerName

I have logged into ADSIEdit and there are no Orphaned DFS Entries


We are using DFS just for namespaces, no replication, I believe the namespaces are correctly sitting on the domain but I need to get rid of the pointer to the OldServerName and make sure that it can still see the NewServerName.

Your help as always is greatly appreciated.

We have ADFS configured for authenticating an internal Wordpress site and this was working flawlessly for users to enter their credentials for login.

We were trying to enable automated logon using Windows credentials and followed the ADFS instructions at:
and then:
To enable this, however following these changes we now cannot logon to the Wordpress site.

At the URL, it now provides a Windows logon prompt and entering valid credentials returns the same prompt (i.e. logon does not work).

There are events 364, 111, 238 and 1000 logged for the failed attempts:

Event 238:
The Federation Service failed to find a domain controller for the domain NT AUTHORITY.

Additional Data
Error: 1212

Event 111:
The Federation Service encountered an error while processing the WS-Trust request.
Request type: 

Additional Data
Exception details:
Microsoft.IdentityServer.Service.SecurityTokenService.ADAccountValidationException: MSIS3173: Active Directory account validation failed. ---> Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.AttributeStoreDSGetDCFailedException: Exception of type …
i need to put following registry key change in our group policy so need not do on individual machine.

not sure where to make changes in GP Settings.
The bottom setting that is enabled, will apply the macro notification warnings to Add-ins as well. So, to disable those warnings about trusted Add-ins when outlook launches,

not sure where to check in my group policy ( images attached) - the one highlighted in yellow- where to find in my GP.
Hi, I am about to demote several old physical domain controllers (Server 2008 R2) from my AD environment that reside at my branch sites about 20 miles away in each direction.

I already have my new replacement domain controllers (Server 2016) in place and they are working as expected...have been for weeks now.

Already verified replication is working as expected.

Already transferred the FSMO roles to one of my new domain controllers.

Already verified AD Sites & Services is in order with my new domain controllers.

Also, I am working towards a collapse core environment, meaning I am bringing all my services back to my main site and will depend on my WAN connections to service my branch sites.  For one, all the traffic must come back to my main site before leaving to the outside world.  Another reason all of my other main services reside at my main site, as well as several other reasons that just make sense to go this route.

With that being said, I have setup my DHCP services at my main site among replicating DHCP servers.  So, all of my AD Sites & Services subnets are now pointing to my main site.

I've just finished up changing DNS on all of my static nodes in my network pointing to my new domain controllers for DNS services.

Currently, thw FFL & DFL are obviously at Server 2008 R2, but after I remove all of these Server 2008 R2 domain controllers from my environment I plan to raise the FFL & DFL to Server 2016.

So, with all that laid out, my …
Hi All,

I have been tasked with finding what options are available with regards tracking when user start / finish thier day. I know thier PC usage isnt neccasirly an accurate representation of time spent, but it is what i have been asked to do.

What info is available from AD and how best to get at it. I am specifically looking for first and last logon/logoff in a given day if possible? Any other attributes that may help with the above task?

Thanks for your help.
We have ADFS 2012r2

I need to run power shell command
Enabling alternate ID for users logging

Right now they use email address

Can they use Sam account name

Like domain\ username
CompTIA Security+
LVL 19
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

Dear Wizards, our users need to modify the Date/Time settings on domain-joined PCs. Can we do that? please suggest.
Dear experts,
We have done a penetration test and one of the oracle servers had a vulnerability which through it the penetration test experts manage to get the hash of the Domain admin users and then get the NTDS database of the entire AD Users.

How is it possible to check the current hash being utilized and to strengthen this on Active Directory servers? The currently installed servers are Windows 2016.

I would appreciate your recommendations.

Thank you
Hi EXperts,

I have set an expirationtime attributes in AD Object (computer, user). But I can't remove it. Do you know how to clear or remove this attribute

expirationtime AD attribute

Dealing with an issue here and do not understand as how this came to be,  I have 4 Dc's that are showing the same behavior where i cannot see the account policies from within the Default Domain GPO.  I have moved the PDC Emulator to all 4 servers and tested in hopes that i would be able to setup an account security policy of password length and complexity.  i have also checked for backups of the GPO and find none.

when i view the default domain policy under settings i see the account policies  
Default Domain GPO Settings view
but when i go to edit them from the GPO, they are missing
 Defualt Domain Edit View
any ideas on how i can regenerate the default domain policy??
Active Direectory Federation Services(ADFS)
Move ADFS server from one domain in forest to another domain in forest,

what changes are required, There was a trust between two domain , which is no longer there , and ADFS server is domain which is going disappear , all servers and other computer and user are on new domain, if we simply move that server to new domain , will that resolve the login issue

please advise
Hi Experts,

I am in a phase of migration users and computer with ADMT to a new domain.
We also moved  one server to the new domain.
But now we have major problems.

The workstation service is not running anymore. Any ideas ?
The permissions on the server are wrong.
Now to move to the old domain is not working anymore :-(

What is the correct way to migrate a server with ADMT ?
Hello Experts,
We are upgrading our hybrid domain to server 2016 level in order to utilize Azure AD.
Can we have server 2016 domain controllers and server 2019 member servers and still be considered a 'native mode' domain?
Also, can we have server 2016 domain controllers and have server 2012 member servers and still utilize Azure AD?

Thanks in advance for your insight!
We have just completed upgrading the client’s domain from 2008 to 2016. Raised the domain level to Windows 2016 successfully however the forest still shows 2008. When we try to run ADPREP /forestprep it comes back saying it already has and fails. Thoughts?
We are building a new AD controller to be used at a new site.  What are the best practices/steps for setting up site and promoting the server/adding to site?

Our primary concern is over building/performing dcpromo at headquarters then moving to the new location/ site. Initially the sites will be connected by a 200/20 site-site VPN over internet, later replaced by a 20/20 ELAN/fiber connection.

Experienced advice on recommended steps would be appreciated.
11/26 Forrester Webinar: Savings for Enterprise
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

How do I transfer a collection of group policy objects from one domain to another.  Domains are not related in any way and never will be, but the group policy objects are a bunch of security settings that are not specific to user names, computer names or any other specific name.  So they should easily transfer.  I just can't find a way to do it, other than to manually rebuild them one at a time in the second domain.
Dear All,

I would like to write a Power Shell script that would do the following:
- If the user is member of (Domain admins) get me the last 30 days history logon of this user in any Domain joined computer.

I created something now but it still lacks a lot as it reads the security events on the Domain controller and brings the users,time and matches them with the Domain admin group as in the attached screenshot

I would appreciate if someone can help me evolve this script into something useful

$Rusers = Get-WinEvent  -Computer dc02 -FilterHashtable @{Logname='Security';ID=4672} -MaxEvents 50 |
 `   select @{N='User';E={$_.Properties[1].Value}},TimeCreated
$DAUsers = Get-ADGroupMember -Identity "Domain Admins"

Foreach ($DAUser in $DAUsers){
$DomainUser = $DAUser.SamAccountName

foreach ($Ruser in $Rusers){
$RAUser = $Ruser.User

If ($RAUser -match $DomainUser){
Write-Host $Ruser is domain admin }

Open in new window

Is it a better way to compile my script that have a lot of repetetives command to make it easier to use ?

# Creation of many Domain Global group to be nest in one Domain Local Group 

$LocalGroupName = "DL-ACL-M-OCTOPUS-Shares-DAL"
$GlobalGroupName = "GG-ACL-M-OCTOPUS-Shares-DAL"
$CCSMTLServer = "$CCSMTLServer.ccsmtl.local.lab"

#regionCreate Domain Local Group in Domain CCSMTL
$Pathccsmtl= "OU=ACL,OU=Groupes,DC=CCSMTL,DC=local,DC=lab"
New-ADGroup -Name $LocalGroupName -GroupScope DomainLocal -Path $Pathccsmtl -Server $CCSMTLServer

#region Create Domain Global Group in Domain CRLB
$pathcrlb="OU=CCSMTL,OU=CRLB - CIUSSS,DC=lucie-bruneau,DC=local,DC=lab"
New-ADGroup -Name $GlobalGroupName -GroupScope Global -Path $pathcrlb -Server $serveurcrlb 
# Add Member to Domain Local Group in CCSMTL
$accountGroupcrlb = Get-ADGroup -Identity $GlobalGroupName -Server $serveurcrlb
Add-ADGroupMember -Identity $LocalGroupName -Members $accountGroupcrlb -Server $CCSMTLServer

#region Create Domain Global Group in Domain IRD
New-ADGroup -Name $GlobalGroupName -GroupScope Global -Path $pathird -Server $serveurird 
# Add Member to Domain Local Group in CCSMTL
$accountGroupird = Get-ADGroup -Identity $GlobalGroupName -Server $serveurird
Add-ADGroupMember -Identity $LocalGroupName -Members $accountGroupird -Server 

Open in new window

in powershell what is @{} used for?
Organize SCCM Clients to match Organization Units.

When SCCM DIscovers Computers joined or non- joined to the domain, there is no way to tell on  which Active DIrectory OUs they reside , and there is no way also to tell if a computers is   non-joined to the domain.

I would like to know if there is a trick to that to organize SCCM Clients to match their locations in Active Directory

Thank you
Hi Experts,

is it possible to change a domian via CMD ?
I tried netdom /join....but here come the error, the machine is still connected to a domain.

When I use the GUI it is possible to change directly the domain.

Any ideas ?

Active Directory





Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.