showing posts tagged with 'ad'
by lunarg on January 19th 2017, at 14:49
ADMT stands for Active Directory Migration Tool and is used to migrate AD objects (such as users, groups, computers, etc.) from one AD forest or domain to another, supporting complex scenarios in the process.

Why Microsoft hides their most useful tools is a mystery though. So here are the download links. You will need to accept some EULAs and have a Microsoft Account if you wish to download it though.

Navigate to

If you have not done so, you will have to log on with a Microsoft Account and join the program and accept its EULA things.

Then, you will be able to click through to the download page and download ADMT version 3.2, and, if req  ...
by lunarg on December 15th 2016, at 14:48

Ned Pyle from Microsoft TechNet wrote an article about DCDiag, explaining in detail what it actually does.

Read full article on TechNet.

by lunarg on August 4th 2016, at 10:57

Using ADUC, it can be quite a hassle to find and/or unlock AD accounts. Powershell solves this by providing some neat commands for a system administrator to use.

To list all locked out AD accounts:

Search-ADAccount -LockedOut

To get more info about these accounts, you can do a Full-List:

Search-ADAccount -LockedOut | FL

Furthermore, you can pipe the output to quickly unlock some/all AD accounts:

Search-ADAccount -LockedOut | Unlock-ADAccount
by lunarg on April 21st 2016, at 16:43
During the installation of ADMT PES (Password Export Server), the installer reports the encryption key password is wrong, even though you're absolutely sure it's the correct password. Although KB2004090 states this is for 3.1, the problem also exists on 3.2.

The reason for this is that the MSI installer does not elevate the session. If you are not logged on with the Administrator-account, the elevation does not occur automatically and the error mentioned above will appear, without any mention of elevation requirements.

To work around the issue, you can follow the steps below. This will ensure the MSI installer runs in an elevated session and the installation will continue as normal. Altern  ...
by lunarg on November 5th 2015, at 11:03

Sometimes you may want to set or clear attributes of an AD object (e.g. the extensionAttributes of an AD user) through Powershell.

To set an attribute:

Set-ADUser -Identity "AnyADUser" -Add @{extensionAttribute15="SomeValue"}

To clear an attribute (i.e. unset the attribute):

Set-ADUser -Identity "AnyADUser" -Clear extensionAttribute15
by lunarg on October 19th 2015, at 12:59
When users change their passwords of their on-premise AD account, these changes are not replicated to Office365 (Azure AD). In the event log of the server running AD Sync, event 611 is logged:

Event ID 611
Password synchronization failed for domain:

System.DirectoryServices.Protocols.LdapException: The operation was aborted because the client side timeout limit was exceeded.

To resolve the issue, a registry setting has to be changed on the server running AD Sync, followed by a reboot:

On the server running AD Sync, open regedit.

Navigate to the key:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ldap

Set the value of LdapClientIntegrity to 0.

Restart the se  ...
by lunarg on August 21st 2015, at 11:06

You can mail-enable multiple accounts with a single Powershell command. Look below for some examples:

Mail-enable AD accounts whose first name is John:

Get-ADUser -Filter * | Where {$_.GivenName -like "John"} | ForEach-Object { Enable-Mailbox -Identity $_.DistinguishedName }

Mail-enable all accounts in an OU called Engineering:

Get-ADUser -Filter * -SearchBase "OU=Engineering,DC=contoso,DC=local" | ForEach-Object { Enable-Mailbox -Identity $_.DistinguishedName }
by lunarg on July 9th 2015, at 09:31

Based on recommendations and best practices from Microsoft, and information I found here, I compiled a FSMO placement scenario for 2 domain controllers:

PDC Emulator
RID Master
Infrastructure Master
Schema Master
Domain Naming Master
Global Catalog

Also, if your domain is top-level in the AD forest, configure DC1 to sync with external time sources.

by lunarg on July 3rd 2015, at 15:46
Active Directory uses Kerberos for authentication, which relies strongly on having the date and time of day running synchronously across the entire network and all devices in it. By default, each server and client joined in the AD, including domain controllers, will follow the domain hierarchy to sync its time. Domain controllers are set to automatically determine whether they can be used as a (reliable) time source. If a DC has considered itself as a time source, it will accept requests from clients and provide them with the its own current time.

Domain controllers at the top of the forest (top-level DCs) don't have another server above them to sync against, so they can either opt to sync   ...
by lunarg on July 2nd 2015, at 13:29
Contacting a domain controller in Active Directory is done through DNS lookup. Several DNS SRV records are used to find domain controllers in a site. If multiple domain controllers are present in the same site, the client will arbitrarily select one, based on the contents of those records.

By default, the selection is random, and all DCs have an equal change of being picked. The inherit properties of SRV-records allow for this behaviour to be influenced, by changing the weight and priority of those records. This enables fine-tuning and configuration of which DC to favour or even exclude. By default, all SRV records (thus, all DCs) have their weight and priority set to 0.

The weight defines  ...
by lunarg on June 26th 2015, at 14:50

Microsoft has released the Azure Active Directory Connect to the general public. Azure AD Connect replaces (although "incorporates" is a better word) DirSync as the new tool to set up synchronization between your on-premise Active Directory and Azure Active Directory, including Office 365.

The current version of Azure AD Connect is only the beginning. Microsoft has announced a lot more features, which will be made available in the next versions.

More information and installation resources:

by lunarg on June 26th 2015, at 12:01
When attempting to trigger an AD replication from one DC to another using Active Directory Sites and Services or repadmin.exe, you may get the following error:

AD Replication error 8452:
"The naming context is in the process of being removed or is not replicated from the specified server."

The most common cause for this error is that you tried to replicate between DCs for which no DS replication connection exist. The replication attempt will therefore fail. As a workaround, try replicating to the target DC from another source DC. Or, create a new replication connection between the target and source DCs.

Open Active Directory Sites and Services.

In the tree to the left, locate t  ...
by lunarg on June 26th 2015, at 11:25

Active Directory (AD) integrated DNS zones are not replicated by the DNS server, but replicates through the Active Directory replication mechanism, and uses the same settings for AD replication.

You can trigger replication through Active Directory Sites and Services, or with repadmin.exe on command prompt:

repadmin.exe /replicate target_dc source_dc DC=DomainDnsZones,DC=domain,DC=com

Replace parameters accordingly:

  • target_dc is the DC to replicate to
  • source_dc is the DC to replicate from
  • Edit the naming context so it includes your FQDN: e.g.,DC=co,DC=uk
by lunarg on June 24th 2015, at 13:07
With dcpromo.exe now being deprecrated on 2012 and 2012 R2, it is no longer obvious which method to use to demote a domain controller. Although you could resort to Powershell to get it done, there's also a way to demote using Server Manager, albeit not a very clear one.

The trick is to attempt to remove the Active Directory Domain Services role from the server, using Server Manager. When you do remove this, you will be prompted to demote the domain controller before the role can be removed, along with a link to actually perform this task.

Start Server Manager. In the upper right corner, click Manage, then click Remove Roles and Features.

Continue in the wizard that appears, making sure th  ...
by lunarg on June 12th 2015, at 13:14
Attached to this article are scripts to configure proxy settings for Internet Explorer (all versions). As Google Chrome uses the IE settings for their proxy settings, it can be used for that browser as well. I know there are other, far better methods for configuring proxy settings for clients, but continue your read to see why they were not usable in this particular case.

I ran into a customer where they were still using Internet Explorer Maintenance in their group policies to configure proxy settings for their clients. As a result, all users who got more recent computers did not get the proxy settings, as they were running Internet Explorer 10 or newer. Starting from IE10, configuration of  ...
by lunarg on June 10th 2015, at 16:04

When demoting a 2003 domain controller using dcpromo, you may run into the following error:

The operation failed because:

Failed to configure the service NETLOGON as requested

"The wait operation timed out"

The error message is quite misleading as the real cause has got nothing to do with NETLOGON, but is in fact a DNS issue. You will most likely have the server's primary DNS pointing to itself using loopback address ( or its own IP address.

You can correct the issue by having the DNS point to remaining domain controllers, and remove any DNS pointing to itself (i.e. loopback address or any other IP owned by the server being demoted).

by lunarg on June 10th 2015, at 14:29

There are two ways to see which Certificate Authority servers exist in your AD domain.

1. Check the Cert Publishers group

The AD group Cert Publishers contain the servers that are permitted to publish certificates to AD. As a consequence, this gruop will contain all servers that are CAs.

2. Use certutil

You can use the certutil command to view (and select from) a list of CAs in the current AD domain:

certutil -config - -ping

Note: type the command as-is, including all spaces and hyphens.

A window will appear, listing the CA name and the server it runs on.

by lunarg on June 10th 2015, at 14:20
After migrating AD from 2003 to 2012, I ran into this issue on a RADIUS server running 2008 R2, used for authentication. When attempting to retrieve AD information for a particular user, the following error appeared:

An error (1301) occurred while enumerating the groups. The group's SID could not be resolved.

The solution (at least for Windows 7 and 2008 R2), is to install hotfix 2830145.

The hotfix is only available by request through e-mail.

When attempting to log on to a 2012-based domain controller, the following SIDs are unmappable:

S-1-18-1 : Authentication authority asserted identity

S-1-18-2 : Service asserted identity

2012 introduces two new securit  ...
by lunarg on June 5th 2015, at 10:40
If your inter-domain trust is down, and the eventlog reveals the following error:

There are currently no logon servers available to service the logon request. (0x51F)

Then check the following:

Check whether you can still access the DNS servers at the other side: try using the name first, then try through IP. If DNS does not work, there's an issue with your DNS.

Check whether the DNS zones for the domain are still in place. If it exists, try performing a reload from master. If this fails, you either have connection issues, or the other side has removed the required zone delegation, preventing you from retrieving the zone information.

If you can neither connect through DNS or IP, ch  ...
by lunarg on May 28th 2015, at 10:46

When attempting to log on with a domain account on a computer joined to a domain that has both 2012R2 and 2003 domain controllers, you may encounter the following error:

Error message
unknown username or bad password

Additionally, an Event ID 4 on Source: Kerberos is logged. You can only log on using local accounts.


Mixed 2012R2 and 2003 AD environments require hotfix 2989971 to be installed on every 2012R2 DC. See the KB for a full explanation.

The hotfix requires Update 1 (2919355) to be installed first. The hotfix is also included in update rollup 2984006.

showing posts tagged with 'ad'
« January 2017»
« Most people tend to avoid true conflict. Ironically this breeds more conflict. »