Active Directory Replication

Active Directory (AD) Real Time Interview
Questions and Answers

I would like to share some of the Windows Active Directory Interview Questions and answers,
will start with basic questions and continue with L1, L2, L3 level questions
Also Read: Windows Server Administrator Interview Questions and Answers
What is Active Directory?
Active Directory (AD) is a directory service developed by Microsoft and used to store objects like
User, Computer, printer, Network information, It facilitate to manage your network effectively with
multiple Domain Controllers in different location with AD database, able to manage/change AD from
any Domain Controllers and this will be replicated to all other DCs, centralized Administration with
multiple geographical location and authenticates users and computers in a Windows domain
What is LDAP and how the LDAP been used on Active Directory(AD)?
http://www.windowstricks.in/ldap-and-ldap-query
What is Tree?
Tree is a hierarchical arrangement of windows Domain that share a contiguous name space
What is Domain?
Active Directory Domain Services is Microsofts Directory Server. It provides authentication and
authorization mechanisms as well as a framework within which other related services can be
deployed
What is Active Directory Domain Controller (DC)?
Domain Controller is the server which holds the AD database, All AD changes get replicated to other
DC and vise vase
What is Forest?
Forest consists of multiple Domains trees. The Domain trees in a forest do not form a contiguous
name space however share a common schema and global catalog (GC)
What is Schema?
Active directory schema is the set of definitions that define the kinds of object and the type of
information about those objects that can be stored in Active Directory
Active directory schema is Collection of object class and there attributes
Object Class = User
Attributes = first name, last name, email, and others
Can we restore a schema partition?
http://www.windowstricks.in/2014/01/can-i-restore-schema-partition.html
Tel me about the FSMO roles?
Schema Master
Domain Naming Master
Infrastructure Master
RID Master
PDC
Schema Master and Domain Naming Master are forest wide role and only available one on each
Forest, Other roles are Domain wide and one for each Domain
AD replication is multi master replication and change can be done in any Domain Controller and will
get replicated to others Domain Controllers, except above file roles, this will be flexible single master
operations (FSMO), these changes only be done on dedicated Domain Controller so its
single master replication
How to check which server holds which role?

Netdom query FSMO
Which FSMO role is the most important? And why?
Interesting question which role is most important out of 5 FSMO roles or if one role fails that will
impact the end-user immediately
Most armature administrators pick the Schema master role, not sure why maybe they though
Schema is very critical to run the Active Directory
Correct answer is PDC, now the next question why? Will explain role by role what happens when a
FSMO role holder fails to find the answer
Schema Master Schema Master needed to update the Schema, we dont update the schema daily
right, when will update the Schema? While the time of operating system migration, installing new
Exchange version and any other application which requires extending the schema
So if are Schema Master Server is not available, we cant able to update the schema and no way this
will going to affect the Active Directory operation and the end-user
Schema Master needs to be online and ready to make a schema change, we can plan and have
more time to bring back the Schema Master Server
Domain Naming Master Domain Naming Master required to creating a new Domain and creating
an application partition, Like Schema Master we dont cerate Domain and application partition
frequently
So if are Domain Naming Master Server is not available, we cant able to create a new Domain and
application partition, it may not affect the user, user event didnt aware Domain Naming Master
Server is down
Infrastructure Master Infrastructure Master updates the cross domain updates, what really
updates between Domains? Whenever user login to Domain the TGT has been created with the list
of access user got through group membership (user group membership details) it also contain the
user membership details from trusted domain, Infrastructure Master keep this information up-to-date,
it update reference information every 2 days by comparing its data with the Global Catalog (thats
why we dont keep Infrastructure Master and GC in same server)
In a single Domain and single Forest environment there is no impact if the Infrastructure
Master server is down
In a Multi Domain and Forest environment, there will be impact and we have enough time to fix the
issue before it affect the end-user
RID Master Every DC is initially issued 500 RIDs from RID Master Server. RIDs are used to
create a new object on Active Directory, all new objects are created with Security ID (SID) and RID is
the last part of a SID. The RID uniquely identifies a security principal relative to the local or domain
security authority that issued the SID
When it gets down to 250 (50%) it requests a second pool of RIDs from the RID master. If RID
Master Server is not available the RID pools unable to be issued to DCs and DCs are only able to
create a new object depends on the available RIDs, every DC has anywhere between 250 and 750
RIDs available, so no immediate impact
PDC PDC required for Time sync, user login, password changes and Trust, now you know why the
PDC is important FSMO role holder to get back online, PDC role will impact the end-user
immediately and we need to recover ASAP
The PDC emulator Primary Domain Controller for backwards compatibility and its responsible for
time synchronizing within a domain, also the password master. Any password change is replicated to
the PDC emulator ASAP. If a logon request fails due to a bad password the logon request is passed
to the PDC emulator to check the password before rejecting the login request.
Tel me about Active Directory Database and list the Active Directory Database files?
NTDS.DIT
EDB.Log
EDB.Che
Res1.log and Res2.log
All AD changes didnt write directly to NTDS.DIT database file, first write to EDB.Log and from log file
to database, EDB.Che used to track the database update from log file, to know what changes are
copied to database file.
NTDS.DIT: NTDS.DIT is the AD database and store all AD objects, Default location is the %system
root%\nrds\nrds.dit, Active Directory database engine is the extensible storage engine which us
based on the Jet database
EDB.Log: EDB.Log is the transaction log file when EDB.Log is full, it is renamed to EDB Num.log
where num is the increasing number starting from 1, like EDB1.Log
EDB.Che: EDB.Che is the checkpoint file used to trace the data not yet written to database file this
indicate the starting point from which data is to be recovered from the log file in case if failure
Res1.log and Res2.log: Res is reserved transaction log file which provide the transaction log file
enough time to shutdown if the disk didnt have enough space
What RAID configuration can be used in Domain Controllers?
http://www.windowstricks.in/2010/07/recommended-raid-configuration-and-disk.html
Can we keep OS, log files, SYSVOL, AD database on same logical Disk?
http://www.windowstricks.in/2010/07/recommended-raid-configuration-and-disk.html
AD Interview Questions (Part 2)

What is Active Directory Partitions?
Active Directory partition is how and where the AD information logically stored.
What are all the Active Directory Partitions?
Schema
Configuration
Domain
Application partition
What is use Active Directory Partitions? And

How to find the Active Directory Partitions and there location?
Schema Partition It store details about objects and attributes. Replicates to all domain controllers
in the Forest
DN location is CN=Schema,CN=Configuration,DC=Domainname, DC=com
Configuration Partition It store details about the AD configuration information like, Site, site-link,
subnet and other replication topology information. Replicates to all domain controllers in the Forest
DN Location is CN=Configuration,DC=Domainname,DC=com
Domain Partitions object information for a domain like user, computer, group, printer and other
Domain specific information. Replicates to all domain controllers within a domain
DN Location is DC=Domainname,DC=com
Application Partition information about applications in Active Directory. Like AD integrated DNS is
used there are two application partitions for DNS zones ForestDNSZones and DomainDNSZones,
see more
How to configure Active Directory Partitions?

You can only configure the Application partition manually to use with AD integrated applications,
refer to this article for details on that
How to create DNS zone in Application Directory Partition?
see on my previous article
How to move the DNS zone from Domain Partition to Application partition?
see on my previous article
How to take active directory backup?

System state backup will backup the Active Directory, NTbackup can be used to backup active
directory
Active Directory restores types?

Authoritative restore
Non-authoritative restore
Non-authoritative restore of Active Directory
Non-authoritative restore is restore the domain controller to its state at the time of backup, and allows
normal replication to overwrite restored domain controller with any changes that have occurred after
the backup. After system state restore, domain controller queries its replication partners and get the
changes after backup date, to ensure that the domain controller has an accurate and updated copy
of the Active Directory database.
Non-authoritative restore is the default method for restoring Active Directory, just a restore of system
state is non-authoritative restore and mostly we use this for Active Directory data loss or corruption.
How perform a non-authoritative restore?

Just start the domain controller in Directory Services Restore Mode and perform system state restore
from backup
Authoritative restore of Active Directory

An authoritative restore is next step of the non-authoritative restore process. We have do non-
authoritative restore before you can perform an authoritative restore. The main difference is that an
authoritative restore has the ability to increment the version number of the attributes of all objects or
an individual object in an entire directory, this will make it authoritative restore an object in the
directory. This can be used to restore a single deleted user/group and event an entire OU.
In a non-authoritative restore, after a domain controller is back online, it will contact its replication
partners to determine any changes since the time of the last backup. However the version number of
the object attributes that you want to be authoritative will be higher than the existing version numbers
of the attribute, the object on the restored domain controller will appear to be more recent and
therefore, restored object will be replicated to other domain controllers in the Domain
How perform a non-authoritative restore?

Unlike a non-authoritative restore, an authoritative restores need to Ntdsutil.exe to increment the
version number of the object attributes
What are Active Directory Partitions can be restored?

You can authoritatively restore only objects from configuration and domain partition. Authoritative
restores of schema-naming contexts are not supported.
How many domain controllers need to back up? Or which domain controllers to back up?
Minimum requirement is to back up two domain controllers in each domain, one should be an
operations master role holder DC, no need to backup RID Master (relative ID) because RID master
should not be restored
Can we restore backup of domain controller to other/different domain controller?
Backup of one domain controller cant be restoring to other domain controller, should be restored to
same domain controller
Sysvol Interview Questions and Answers

I would like to share collection of Sysvol and FRS Interview questions and answers this will be asked
on Windows Active Directory administrator job interview
What is the SYSVOL folder and why its used?
The Sysvol folder on a Windows domain controller is used to stores domains Group Policy settings,
default profiles and logon/logoff/startup/shutdown scripts, which is available in C:\Windows\SYSVOL
directory in all domain controllers within the Domain
What is NETLOGON folder?
Netlogon folder contain logon/logoff/startup/shutdown scripts which is inside the Sysvol folder
What is junctions point?
Check more about: Sysvol Junction point
What other folders in Sysvol and Sysvol folder structure/ Contents?
Check more about: netlogon and sysvol folder location
How policies get replicated from one DC to other DC?
Check more about: how sysvol replication works
What is the Difference between FRS and DFS-R?
Check more about: Difference between FRS and DFSR
How to Force sysvol replication?

Check more about: force sysvol replication on Windows 2003 and force sysvol replication on
Windows 2008 and windows server 2012
What is the Sysvol Replication change in Windows 2008?
Check more about: sysvol replication change on windows 2012
Any Sysvol issues which you have faced in your environment?
USN journal wrap Error on sysvol
Morphed folder on Sysvol
FRS replication issues
Sysvol share not sharing May be an replication issue, please event log got more information
Tel me about Non-authoritative restore of SYSVOL or D2 restore
D2 is the default method for restoring SYSVOL and occurs automatically when you do a non-
authoritative restore of the Active Directory
When you non-authoritatively restore the SYSVOL, the local copy of SYSVOL on the restored domain
controller is compared with that of its replication partners. After the domain controller restarts, it
replicates the any necessary changes, bringing it up-to-date with the other domain controllers within
the domain.
Tel me about Authoritative restore of SYSVOL or D4 restore
IN D4 restore a copy of SYSVOL that is restored from backup is authoritative for the domain. After
the necessary configurations have been made, Active Directory marks the local SYSVOL as
authoritative and it is replicated to the other domain controllers within the domain.
How to D2 and D4 restore?
Enable BurFlags registry to D2 or D4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\
Process at Startup
BurFlags
D2, for nonauthoritative mode restore
D4, for an authoritative mode restore
More info from MS
Windows Group Policy Interview Questions

and Answers
By mail2spi2014 | July 7, 2009
0 Comment
Will share Collection on Windows group policy interview question with details answers, start with
simple L1 questions and continue to L3 questions
What are group policies?
Group policies specify how programs, network resources, and the operating system work for users
and computers in an organization. They are collections of user and computer configuration settings
that are applied on the users and computers (not on groups). For better administration of group
policies in the Windows environment, the group policy objects (GPOs) are used.
What is GPO?
Group policy object (GPO) is a collection of group policy settings. It can be created using a Windows
utility known as the Group Policy snap-in. GPO affects the user and computer accounts located in
sites, domains, and organizational units (OUs). The Windows 2000/2003 operating systems support
two types of GPOs, local and non-local (Active Directory-based) GPOs.
What is Local GPOs/policy?
Local GPOs are used to control policies on a local server running Windows 2000/2003 Server. On
each Windows 2000/2003 server, a local GPO is stored. The local GPO affects only the computer on
which it is stored. By default, only Security Settings nodes are configured. The rest of the settings
are either disabled or not enabled. The local GPO is stored in the %systemroot
%SYSTEM32GROUPPOLICY folder.
What is Non-local Policy?
Non-local GPOs are used to control policies on an Active Directory-based network. A Windows
2000/2003 server needs to be configured as a domain controller on the network to use a non-local
GPO. The non-local GPOs must be linked to a site, domain, or organizational unit (OU) to apply
group policies to the user or computer objects. The non-local GPOs are stored in %systemroot
%SYSVOLPOLICIESADM, where is the GPOs globally unique identifier. Two non-local GPOs are
created by default when the Active Directory is installed:
1. Default Domain Policy: This GPO is linked to the domain and it affects all users and computers in
the domain.
2. Default Domain Controllers Policy: This GPO is linked to the Domain Controllers OU and it affects
all domain controllers placed in this OU.
Multiple GPOs
GPO Apply order
When multiple group policy objects are assigned, the group policies are applied in the
following order:
The local group policy object is applied first

Then, the group policy objects linked to sites are applied
If multiple GPOs exist for a site, they are applied in the order specified by an administrator
GPOs linked to the domains are applied in the specified order
Finally, GPOs linked to OUs are applied
The OU group policy objects are set from the largest to the smallest organizational unit, i.e., first the
parent OU and then the child OU.
By default, a policy applied later overwrites a policy that was applied earlier. Hence, the settings in a
child OU can override the settings in the parent OU
Group policy settings are cumulative if they are compatible with each other. In case they conflict with
each other, the GPO processed later takes precedence.
What is No Override? Block Policy Inheritance?
The following are the exceptions with regard to the above-mentioned settings:
No Override:
Any GPO can be set to No Override. If the No Override configuration is set to a GPO, no policy
configured in the GPO can be overridden. If more than one GPO has been set to No Override, then
the one that is the highest in the Active Directory hierarchy takes precedence
Block Policy Inheritance:
The Block Policy Inheritance option can be applied to the site, domain, or OU. It deflects all group
policy settings that reach the site, domain, or OU from the object higher in the hierarchy. However,
the GPOs configured with the No Override option are always applied
What is Loopback policy?
See more on Loopback policy
Is group policy from Parent Domain cab be inherited to child Domain?
Group Policy Inheritance
The group policies are inherited from parent to child within a domain. They are not inherited from
parent domain to child domain
Following are the rules regarding group policy inheritance:
A policy setting is configured (Enabled or Disabled) for a parent OU, and the same policy setting is
not configured for its child OUs. The child OUs inherit the parents policy
A policy setting is configured (Enabled or Disabled) for a parent OU, and the same policy setting is
configured for its child OUs. The child OUs settings override the settings inherited from the parents
OU
If any policy is not configured, no inheritance takes place
Compatible policy settings configured at the parent and child OUs are accumulated
Incompatible policy settings from the parent OU are not inherited
What is security filtering? Filtering Scope of GPOs
Although GPOs are linked to the site, domain, or OUs, and they cannot be linked to the security
groups directly, applying permissions to the GPO can filter its scope. The policies in a non-local GPO
apply only to users who have the Read and Apply Group Policy permissions set to Allow
By specifying appropriate permissions to the security groups, the administrators can filter a GPOs
scope for the computers and users
Windows GPO Interview Questions and

Answers
How policy will be replicated to one Domain Controller to other?
Check detailed explanation on Sysvol Replication change in Windows 2008
What is Group Policy template (GPT)?
Check Group Policy template
What is Group policy container (GPC)?
Check Group policy container
What is File Replication Services (FRS)?
Check File Replication Services
Sysvol Replication change in Windows 2008?
Check detailed explanation on Sysvol Replication change in Windows 2008
How Group Policy Processing over Slow Link?
http://www.windowstricks.in/2009/07/group-policy-processing-over-slow-links.html
What Tools used to edit the Group policy?
GPMC and GPedit
How to check applied policy details from Client or server?
RSOP.msc (only works windows 2003 and above)
GPRESULT /v
What is .adm file?
Administrative Template are required because Microsoft did not include all Registry settings in the
default Group Policy, if you want to add more customized setting to existing policy then .ADM file can
be created and imported to get the necessary setting
Group policy is not applying/working after

patching (GPO Permission issues)
By ganesamoorthy s | June 21, 2016
1 Comment
You may face GPO issues after installing Microsoft security patch MS16-072, like Printers installed
through group policy is not working, Drive mapping is not working and any other typical GPO
problems caused by group policy settings arent getting applied to the client systems, affected
operating systems are Windows 8.1& 10, Windows Server 2008 and 2012 R2
Also Read: Difference between Windows cumulative update and native Microsoft Windows update
Microsoft release MS16-072 to fix the vulnerability in Microsoft Windows which break the production
Group Policy, what really changes and why this issue occurs, how to prevent and fix this
Also Read: Compare Installed Windows Security Patches with affected and non-affected Servers to
isolate and fix the issue on Windows Server
Issue:
Group policy with security filtered may failed to apply
Why:
Normally all security filtered Group polices will have a read and apply permission to the respective
security groups, so that policy will apply only those users who member of the security group
This issue occurs if read permission is missing to the computers account which user is using
Solution:
Simple solution is you should add the Active Directory computer account to security group or give
Domain computers group / Authenticated Users to read permission to fix this issue for all the domain
joined computers, steps are
Open GPMC.MSC (Group Policy Management Console)

Select the policy
on right site of the console, select delegation
Add the Authenticated Users and select read Permissions
Add the Domain Computers and select read permissions
Also Read: Windows Group Policy Interview Questions and Answers
This patch does not affect the Computer based policies, only affects User policies and use above
procedure to fix the issue, more about the patch (https://support.microsoft.com/en-us/kb/3163622)
More about Windows Server 2016 and Windows Server 2012
How to Import ADMX files for Windows 10

0 Comment
Group Policy Management Console (GPMC) not showing Windows 10 related

settings/policies
To manage Windows 10 machines through windows group policy you should have Windows 10
Group Policy (.ADMX) templates files and ADML files to your Windows Server 2003/2008/2012 R2
domain controllers, around 190 different templates are available for Windows 10 which help you to
configure different setting on you Windows 10 computers through GPO, below link you
can Download all the ADMX files and ADML files from Microsoft site
https://www.microsoft.com/en-us/download/details.aspx?id=48257
How to Import ADMX files to Managing Windows 10 with Administrative templates
You have to perform below steps from the domain controller where you are using
GPMC.MSC
Copy the downloaded ADMX Files to the folder C:\windows\PolicyDefinitions
Copy the language files (.adml) in the subfolder C:\windows\PolicyDefinitions\EN-US or your
language folder of choice.
And the path is C:\windows or whatever %systemroot% may be on your domain controller
Restart the gpmc.msc and it will show you the new policies available
How to create Central Store to store Administrative Templates files
Domain controllers do not store or replicate redundant copies of .adm files to other Domain
Controllers, so you have to do the above steps to all the Domain Controllers manually or you need to
create a Central Store in the SYSVOL folder on a Windows domain controller and deploy the .admx
files
Create a folder that is named PolicyDefinitions in the below location

\\domainname.com\SYSVOL\domainname.com\policies) on the domain controller
Copy the content of C:\Windows\PolicyDefinitions to
\\domainname.com\SYSVOL\domainname.com\policies\PolicyDefinitions, from any Windows
10 machine
And Copy the downloaded ADMX Files to the
folder \\domainname.com\SYSVOL\domainname.com\policies\PolicyDefinitions
Copy the language files (.adml) in the subfolder
\\domainname.com\SYSVOL\domainname.com\policies\PolicyDefinitions\EN-US or your
language folder of choice
Also Read: Understand SYSVOL Folder Structure
Now you can edit windows 10 setting from any of you Domain Controllers in your environment.
Also Read: PowerShell command to extract Group policy result for a list of Servers
PowerShell command to extract Group

policy result for a list of Servers
By ganesamoorthy s | April 7, 2016
0 Comment
If you are looking for a PowerShell command that can run against list of computers to obtain
computer policy settings in your domain environment, you can use this to compare with working and
not working servers to fix the issue and also used for GPO reporting
Also Read: Enable Powershell Remoting on Windows server 2008 R2 and 2012
Input file needs to be created (serverlist.txt) and c:\temp location and update the file with server list
which will be used to extract the group policy output
Run below PowerShell command to export all Group Policies to Text File:
Need to import the PowerShell module before run the command then only the GroupPolicy related
command will work
Import-Module GroupPolicy
Run the PowerShell script below:
$RemoteComputers = Get-Content -Path C:\temp\serverlist.txt
foreach ($computer in $RemoteComputers)
Get-GPResultantSetOfPolicy -Computer $computer -ReportType htm -Path C:\temp\rsop\$computer.htm
Out put file will be created for each servers in the input file with servername.htm on c:\temp\resop\,
now you have GroupPolicy result for all the servers
Also Read: Interesting oneline script written using windows command

Difference between windows server 2008 and 2012
Deploy and distribute new Print Queue to all

Workstations through Group Policy on
Windows Server 2012
By ganesamoorthy s | December 23, 2015
0 Comment
How to setup & configured new PrintQueue in the dedicated Print server and deployed to all the
users through GPO, if you want to configure for single user then its simple access print server by
\\PrintServer and then double click on the printqueue object to install on client machine locally, if this
needs to done for thousands of users to managed print services then which is the best way to do
this? Native procedure is configure through Startup Scripts to configure for computer object or logon
Scripts to configure users, is there any simple easy settings to do the same in Windows Server
2012? I also discussed how to Install printer through Print Management on Print Server
Also See: Print spooler stopping automatically on Windows Server 2012, 2008 Print Server
Setting up Printers via Group Policy on Server 2008 and 2012
Use existing GPO or create one for this

Browse to Computer Configuration | Policies | Windows Settings | Printer Connections | Path
For Server 2012
Browse to Computer Configuration | Policies |Windows Settings|Deployed Printers
Right click and select Deploy New Printer
Enter the UNC path (\\PrintServer\printername)
Click OK to complete the setup
Note: Make sure printer is shared and published to active directory before you assigned to group
policy
Also See: Print spooler stopping automatically on Windows 10 other client Operating system
How to configure additional printer drivers to support different operating system

After configuring the printer deployment over the group policy, now need to add additional printer
drivers to support all the OS which printer been deployed like Windows 7, 8 and windows 10 or any
other server operating system like windows server 2003/2012 with 32bit and 64bit
Login to print server

Open Control Paneland
Browse to Devices and Printers
Click Print Server Properties on top of the window
Click Add Driver
Follow the steps to add different OS
And Repeat the same for other Operating systems
Also See: Printer showing offline Windows 10
Using the above method printers can be deployed automatically to all the client systems with different
operating system, and its always recommended to deploy for computer accounts, not for user
accounts so that printer will be installed while the time of startup/power on and all the users will get
the installed printer
And Other Printer problems and issues with solution
Install printer through group policy

By mail2spi2014 | July 21, 2011
0 Comment
Deploying printers via group policy using Print Management console, if your not installed Print
Management then Install Print Management by adding or updating the print server role through
Manage Your Server
Deploying printers through GPO
o Open the Print Management console and select the printer you want to install.
o In the results pane, right-click the printer you want to install, then click Deploy with Group Policy
o Click Browse, and then choose a GPO (through which you going to deploy the printer)
o If you want to deploy this printer for user or computer select the appropriate option
o Select the The users that this GPO applies to (per user)
o Select the The computers that this GPO applies to (per machine).
o Click Add
To complete printer deployment on client we have to deploy a PushPrinterConnections.exe to the

client computer so that the client can process the printer connection settings through GPO
Deploy PushPrinterConnections.exe file
We have add PushPrinterConnections.exe to logon script on GPO, so that it will deployed while the
time of user log on
o Open a Gpmc.msc, right-click the GPO with your printer connections settings and click Edit, Add
PushPrinterConnections.exe file
o For per-machine, go to Computer Configuration, Windows Settings, Scripts (Startup/Shutdown).

o For per-user, go to User Configuration, Windows Settings, Scripts (Logon/Logoff).
Ask user to logoff and logon, printer will get installed automatically through GPO, for per-machine
ask user to restart the computer in order to apply updated GPO.
Issue managing IE configuration through

GPO
By mail2spi2014 | June 22, 2011
0 Comment
List of trusted sites went empty recently, yes the Trusted Sites list got empty, it says: No sites are in
this zone how to resolve this issue
We had an issue like some one edited the default domain policy to update the trusted site list and we
have lost entire IE configuration (Like trusted site list) because he used a different account to edit the
group policy, its a known issue in Windows server 2003, why its clear the IE configuration? Lets
explore this
Because Internet Explorer policy settings would change based on the policy settings enabled on the
administrative workstation used to view the settings.
If you edit the Group policy to configure the internet Explorer settings, it will open the internet options
from the system where you modifying the policy, lets say you login with admin account and this
account doesnt linked to any policy including the default domain policy which has the IE
configuration details like trusted sites, if you open and edit the policy to update the trusted site
through GPMC, it should be empty because the admin account used to edit the GPO doesnt linked
to any policy
If you click ok then this empty setting will overwrite the policy settings and this will apply to entire
users, trusted site will be empty for all the users in the domain
Thats why you have to use the admin account that should be linked to the policy you want to edit
(only for IE configuration), while the time of logon the policy will apply and you can able to see the list
of trusted sites and other IE configuration setting and able to append the IE settings without any
issue
Thanks to Microsoft, in windows 2008 this behavior has been changed, you can change the Internet
Explorer policy settings without affecting the policy configuration, because these settings are registry
based settings unlike windows server 2003, more in fo about the GPO features
Group Policy slow link detection on windows

server 2008
1 Comment
Group Policy slow link detection process change on windows server 2008
You can see my earlier article on Group Policy slow link detection
Group Policy Processing over Slow Links in windows 2003(part1)
Group Policy Processing over Slow Links(Part2)
In windows server 2003, Group Policy slow link detection uses the ICMP ping to detect the network
bandwidth. Most of the VPN networks have the issue with this because the clients communicate
through a Firewall with the domain controller
This was a big problem in windows server 2003 because it uses the ICMP ping to detect the network
bandwidth, some of the VPN sites ICMP ping might be disabled in firewall or the MTU size would be
less then the required limit and also ping will increase the network traffic, to overcome this problems
Microsoft come up with solution called NLA (Network Location Awareness)
Network Location Awareness is a service on client computer, it provide necessary information about
the network and GPO uses this to apply the policy settings, most important its not using ICMP ping
and very efficient compare to earlier process in Windows 2003.
SYSVOL Folder Structure

By mail2spi2014 | April 26, 2011
0 Comment
About each folder under the SYSVOL share in Domain Controller
SYSVOL folder used to store a copy of the domains public files like system policies, Group Policy
settings and logon/logoff scripts, which are replicated to all other domain controllers in the Active
Directory domain through File Replication Services (FRS), You can find many folders inside the
SYSVOL share, I would like to explore and explain each folder by how its used in the process of
SYSVOL replication.
SYSVOL Folder Structure

Sysvol
|____
| |____Policies
| |____Scripts
| |____ DO_NOT_REMOVE_NtFrs_PreInstall_Directory
| |____ NtFrs_PreExisting___See EventLog
|
|____Enterprise
| |____Policies
| |____Scripts
|
|____Staging
| |____Domain
| |____Enterprise
|
|____Staging Areas
| |____Enterprise (junction> = SysvolStagingEnterprise)
| |____Your Domain Name (junction> = SysvolStagingDomain)
|
|____Sysvol
| |____Enterprise (junction> = SysvolEnterprise)
| |____Your Domain Name (junction> = SysvolDomain)
Before I discuss about the SYSVOL folder structure, we should know about the junction points,
Junction point: is a physical location on a hard disk that points to data that is located elsewhere on
the hard disk or on another storage device. Junction points look like folders and behave like folders
but they are not folders. A junction point contains a link to another folder. When a program opens it,
the junction point automatically redirects the program to the folder to which the junction point is
linked
If you open a \%systemroot%SYSVOLsysvol, it actually opens the content in %systemroot

%SYSVOLdomain, you can also see this in command prompt, go to SYSVOL folder in command
prompt and type DIR you can notice some of folder are shown as all are junction points
%systemroot%SYSVOLstaging areasdomainnam pointing to %systemroot%SYSVOLstagingdomain

%systemroot%SYSVOLsysvol pointing to %systemroot%SYSVOLdomain
Staging Folder
When ever you change the GPO settings the corresponding policy folder in SYSVOL get updated
and this change needs to be replicated to other replication members (Domain controller) how its
happens? Staging folder acts like a queue for changed files and folders to be replicated to
downstream partners.
FRS creates a file in staging folder by using APIs (backup application programming interfaces)
based on the change and replicates to the downstream partners, downstream partners use restore
APIs to reconstruct the staging files in the preinstall folder, full file get copied from staging folder to
preinstall folder.
Preinstall folder
Preinstall folder is nothing but the DO_NOT_REMOVE_NtFrs_PreInstall_Directory. Folder located

under the replica root (Domain folder). Files and folders are replicated from the upstream partner
staging folder. After the file or folder is completely replicated, it is renamed to its target location in the
replica tree. So that partially constructed files are not visible in the replica tree
Pre-existing folder
The pre-existing folder, named NtFrs_PreExisting___See EventLog, is an optional folder that is

located under the replica root (Domain folder). It may not be available by default like others folders, If
pre-existing folder is present on a replica member then mostly one of the below reasons.
Active Directory Restore:

SYSVOL Non-authoritative restore (also called D2):
Server was pre-staged before it was added to the replica set
Mostly FRS moves existing data in the replica tree to the pre-existing folder and then receives the
updated replica tree from one of the upstream partners and deletes the files inside the pre-existing
folder after the successful completion of replication.
Policies Folder
Policy folder contains the list of folders for each policy, if you create a new Group Policy it will create
a Group policy templates folder on SYSVOL share under policy, it will contain the group policy setting
related to that policy, GPT folder name would be Globally Unique Identifier (GUID) of the GPO that
you created.
Scripts Folder
Script Folder contains all the logon/logoff scripts which is used by the various policies
Why we cant edit/view windows 2008, Vista

and windows 7 GPO settings from windows
2003
0 Comment
Unable to edit/view Group policy settings from windows 2003
If you have mixed environment like Windows XP, Windows Vista and Windows 7 then some of the
group policy changes need to be configure from windows server 2008 or Windows Vista & Windows
7, you cant edit or see the policy settings from windows 2003/windows XP because windows server
2008 Group Policies using ADMX templates unlike the windows 2003 uses the ADM file
Group policy settings are configured through the ADM/ADMX files through the GPMC/GPOE (Group
Policy Management Console / Group Policy Object Editor), Windows server 2003 uses the ADM file
to edit the policy, and Windows server 2008 uses the ADMX file to edit the policy
Anyway it will not affect the client and group policy processing, only difference is the system which is
used to edit the group policy, requires these ADM/ADMX files, Editing Group Policies using ADMX
templates requires that the editing tools be run only on Microsoft Vista, Server 2008 and Windows 7.
ADM templates can be edited on Windows XP or Server 2003
More new group policy settings has been added in windows server 2008 to manage the environment
effectively, all this new settings can be configurable through Microsoft Vista, Server 2008 and
Windows 7, to know more about the Group Policy 2008 Features
Group Policy 2008 Features

By mail2spi2014 | March 21, 2011
0 Comment
Group Policy 2008 Features: I will discusses about the Group policy changes in windows 2008
server, Microsoft have made some of interesting changes and added new features in Group Policy
2008, first I will list the features and explain one by one
New Administrative template files (ADMX)

New Policy settings
o Power options
o Block device installation
o Improved security settings
o Internet Explorer settings management
o Assign printers based on location
o Delegate printer driver installation to users
Group Policy slow link detection

SYSVOL replication change
SYSVOL uses DFS Replication service to replicate Group Policy object files to other domain
controllers (In windows server 2003 uses FRS to replicate this)
Am very interested about the below changes because I have faced several issues related to this in
windows 2003 group policy

Internet Explorer settings management
Blocking device installation
SYSVOL replication change
New Administrative template files (ADMX)
In windows server 2003 and earlier versions, ADM file used to store registry based GPO settings, In
Windows server 2008 ADMX file used to store registry based GPO settings, its a XML based and
easy to manage registry based policy settings
ADMX format support Multilanguage, centralized datastore, and version control capabilities, policy
can be edited in other language that was created in English language because Group Policy tools
will adjust the user interface according to the administrators configured language, you can also
create a Central Store for Group Policy Administrative Templates to reduce the disk space, see
article in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=122539)
New Policy settings
Power options: Now you can configure the power option through group policy
Configure power option through GPO:

Computer Configuration ->Administrative Templates -> System -> Power Management
Block device installation: In windows 2003 to block the device assess like USB and CD drive we
have to import the customized ADM file, in windows 2008 its inbuilt yes now you can configure he
device access through group policy
Configure Block device installation through GPO:
Computer Configuration ->Administrative Templates -> System -> Device Installation
Improved security settings: IPsec & firewall setting are combined to provide the enhanced security
and avoid policy duplication
Configure security settings through GPO:

Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advance
Security
Internet Explorer settings management: We had an issue like some one edited the GPO to update
the trusted sites and we have lost entire IE configuration because he used a different account to
change the group policy, its a known concern in Windows server 2003 because Internet Explorer
policy settings would change based on the policy settings enabled on the administrative workstation
used to view the settings.
In windows 2008 this behavior has been changed, you can change the Internet Explorer policy
settings without affecting the policy configuration
Configure Internet Explorer settings through GPO:

Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer
User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer
Click here to Configuring trusted website and activex settings for IE7 or Vista and later versions
using group policy
Assign printers based on location: Install the network printer based on the user location, its very
useful for the roaming user because if the user login to the network other then the base location
GPO will install the printer for the new location.
Assign printers based on location through GPO:

Computer Configuration -> Windows Settings -> Deployed Printers
User Configuration -> Windows Settings ->Deployed Printers
Delegate printer driver installation to users: Now user can install the printer on there system
without admin access, it helps to reduce the security risk and admin effort.
Delegate printer driver installation through GPO:

Computer Configuration -> Administrative Templates -> System -> Driver Installation
This was a big problem in windows server 2003 because it uses the ICMP ping to detect the network
bandwidth, some of the VPN sites ICMP ping might be disabled in firewall or the MTU size would be
less then the required limit and also ping will increase the network traffic to overcome this problems
Microsoft come up with solution called NLA (Network Location Awareness)
Network Location Awareness is a service on client computer, it provide necessary information about
the network and GPO uses this to apply the policy settings, most important its not using ICMP ping
and very efficient compare to earlier process in Windows 2003, Check Group Policy Processing over
Slow Links for Windows server 2003
SYSVOL Replication
In windows server 2003 FRS (File replication service) has been used to replicate SYSVOL folder
changes, in windows server 2008 you can use the DFS (Distributed File System) to replicate
changes on the SYSVOL folder, to use this feature you should have Windows Server 2008 domain
functional level that means all the domain controller has to be Windows Server 2008
If any changes in SYSVOL share, FRS replicate the entire file unlike the DFS, DFS only replicate the
change in the file, sounds like a attribute level Active Directory replication, it compare the source and
destination file using remote differential compression (RDC)
If you are migrated from windows 2003 to windows server 2008, FRS is the default replication
service for SYSVOL replication, you have to migrate the SYSVOL share to use the DFS
Compare to earlier version Group Policy settings has increased from approximately 2,400 in
Windows Server 2008 to optimize the environment and support new features, more info from technet
Active Directory real time issues and

solutions
0 Comment
As an Windows AD Administrator I have many Active Directory real time issues and solutions, we
have seen the questions like, Tel me about 2 real time issues which you have faced in your current
Active Directory environment, share one or two challenging issues which you have worked and
resolved, Tel me most challenging issues you recently involved
Many of my blog readers are asked to share couple of real time scenarios from my past experience
to preparing for an Windows and Active Directory interview, list of articles from my previous post,
read and understand to face the interview confidently
Active Directory real time issues and solutions
DNS Entry of Domain Controller is Resolving to Incorrect value
Replsummary showing unknown for largest delta on AD replication checks
Domain Controller failed test Machineaccount on DCDIAG
AD Slow Authentication and prompting for credentials again and again
How secure channel determine the Domain controller in cross-forest
Active directory Troubleshooting
Active Directory Replication failed with Target principal name is incorrect
Replication failed with The destination server is currently rejecting replication requests Error
Troubleshoot Active Directory Server Replication
Group Policy (GPO) real time issues and solutions
Issue managing IE configuration through GPO
Why we cant edit/view windows 2008, Vista and windows 7 GPO settings from windows 2003
Gpresult failed with ERROR Access Denied
Home page URL not working for IE7
GPO update failed in Slow Link VPN site with Event ID 1000 and 1054
Group Policy Processing over Slow Links
Group Policy slow link detection on windows server 2008
Other real time issues and solutions, Printer, User Profile and Account lockout
Account lockout
How to resolve the Print Spooler service crash issue (Print spooler service is not running)
How to find the domain controller that contains the lingering object
Reconfigure roaming profile folder and home folder permission for all the users
Roaming profile issues
Active Directory Replication
Replsummary showing unknown for largest delta

on AD replication checks
Largest delta would report as unknown on Source DC while running Repadmin /replsummary for
your Domain and Forest, since its showing unknown and didnt see the replication delta value and
unable to find the affected Destination DC, will describe how to find the Destination DC
Also Read: Force active directory replication
Why its reporting unknown?

Lets say if the new replication connection object has been created by KCC and its failed before
complete the first replication cycle or yet to complete the first replication cycle , so replication
destination has never replicated from the source and Repadmin /showrep shows Last success @
(never). Then largest delta would report as unknown
How to find the affected Destination DC?
Also Read: Active Directory Replication failed with Target principal name is incorrect
Its not easy to find the Destination DC, since the connection object has not completed the first
replication cycle, it wont be available from Repadmin /replsummary output
Need to query each connection object from the Forest to find the Destination DC
Csvde -f c:\temp\list.csv -d "CN=Configuration,DC=Domainname,DC=com" -r (fromServer=*) -l

fromserver
list.csv file contains all the connection object DN from your Forest and there fromserver attribute
value
Search the list.csv with Source DC(fromserver attribute value), you will find
the unknown Destination DC on the same line ( connection object DN), need to do many search till
you get the correct Destination DC
This will also be used to check the opposite side of connection object, AD replication is two way pull
replication and repadmin /showrep will show the connection object of respective Domain Controller
and if you want to see what Domain Controller is pulling replication from this Domain Controller, then
above method can be used
This can be easy in a very small environment with less then 10 Domain Controller, you can check
this manually by running repadmin /showrep on each Domain Controller, let say you have a very
large environment with more then a 100 DC then manual method cant be easy and above procedure
will find this in a easy way, hope this will help you to troubleshoot Active Directory replication issues
Also Read:Replication failed with The destination server is currently rejecting replication requests
Error
Active Directory Replication failed with Target
principal name is incorrect
If you have issue with the computer account of the domain controller then you may receive target
principal name is incorrect or access denied error while the time of replication
To check the computer account run the below command from affected domain controller where you
receive the error
net view \\DC Name
or
net use \\DC Name
If you receive access denied error then its confirm computer account issue, to resolve this issue, you
have to reset the computer account, reset the secure channels between these domain controllers
and the PDC
Run the below command to reset the computer account,
Before running this command, disables the Kerberos Key Distribution Center service (KDC).
And this command should be run from the domain controller in which you are going to reset the
password, server_name should be PDC or the replication partner
netdom resetpwd /server:server_name /userd:domain_nameadministrator

/passwordd:administrator_password
More info: http://support.microsoft.com/kb/288167

Replication failed with The destination server is
currently rejecting replication requests Error
Also receive error The source server is currently rejecting replication requests. This operation will
not continue in windows server 2008/2003 and Active Directory replication stopped working,
possibly the inbound and outbound replication been disabled on the domain controller
Use the below repadmin command to check the inbound and outbound connection object status
repadmin /options DC name
You may receive the error similar like below, then the inbound and outbound connection object been
disabled
Current DC Options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL
If its disabled then run the below command to enable the inbound and outbound connection object
repadmin /options DC Name -disable_inbound_repl

repadmin /options DC Name -disable_outbound_repl
If its been disabled automatically after some time (15 min) then its an issue with the Lingering
Objects, you have to check the event viewer for the Event ID 1988
If your environment configured with Strict Replication Consistency, then the Inbound replication of the
directory partition of the lingering object has been blocked on the destination domain controller.
You have to remove the Lingering Objects to resolve this issue

Also check Troubleshoot Active Directory Server Replication for other ad replication issues
Sync the Active Directory replication between two
domain controllers in low bandwidth sites
Normally replication fails, if it doesnt have enough bandwidth to complete the scheduled replication,
you can use the below command to Sync the Active Directory replication between two domain
controllers in low bandwidth sites.
Syntax:
repadmin /replicate destination_dsa source_dsa Naming Context /async
Example:
repadmin /replicate server2.test.com server1.test.com dc=test,dc=com /async
Destination server Name: server2.test.com

Source server Name: server1.test.com
Naming Context : dc=test,dc=com (Domain partition)
/async switch to specifies that the replication will be asynchronous.
This means that Repadmin starts the replication, but it does not expect an immediate response from
the destination domain controller. Use this parameter when there are slow links between domain
controllers.
Run this command and check for replication event in Directory services event log, if you get the RPC
error then you have to run the command again, you need to follow this procedure till the replication
gets completes
Note: This will help only for some scenarios; if you have very low bandwidth sites then this will not
help, you have to resolve the network issue or have to upgrade the network bandwidth in order to
complete the Active Directory replication.
Force active directory replication
use the same command to Force active directory replication without /async for Sync Active Directory
replication between two domain controllers in normal bandwidth
Sync replication with all of its replication partners
Force the active directory replication with the entire replication partner
In some scenario you want to force active directory replication with the entire replication partner, let
say you have a 10 connection objects corresponding to each of its replication partners and you want
to force the replication to all the connection objects on server1.test.com, you can use the blow
command.
Syntax:
repadmin /replicate destination_dsa Naming Context /allsources
Example:
repadmin /replicate server1.test.com dc=test,dc=com /allsources

Naming Context: dc=test,dc=com (Domain partition)
Sync the Active Directory replication between two

domain controllers
Force the active directory replication between two domain controllers
If you want to override the replication schedule or dont want to wait for the normal replication
scheduled, need to initiate a replication immediately from server1.test.com to server2.test.com, you
can use the below commands
Syntax:
repadmin /replicate destination_dsa source_dsa Naming Context
Example:
repadmin /replicate server2.test.com server1.test.com dc=test,dc=com

Source server Name: server1.test.com
Naming Context : dc=test,dc=com (Domain partition)
Note: you should have a connection object between the source and destination domain controllers in
order to complete this command
In this example we are not forcing the Active Directory replication, we only Sync the Active Directory
replication between two domain controllers or initiating the Active Directory replication between two
domain controllers
If want to force the Active Directory replication you have to use the /force switch
Syntax:
repadmin /replicate destination_dsa source_dsa Naming Context /force
Example:
repadmin /replicate server2.test.com server1.test.com dc=test,dc=com /force
If use the /force switch, this will override the Disable Replication option on a directory server
Note: Do not use this parameter unless you are certain that replication has been disabled, and that
you want to override this setting
How to check Active directory replication for

multiple Domain Controllers
To check Active directory the replication for multiple Domain Controllers
Normally repadmin /showreps command has been used to get the replication status for an particular
Domain Controller, let say I want to check the Active directory the replication for multiple Domain
Controllers, you can use the below command
for /f %a in (list.txt) do repadmin /replsummary %a

Note: You should run this command from where the input file (list.txt) there
And this command will check all the servers in the input file (list.txt)
If you want to check the Active directory replication for all the DCs from a site, you can use the
below command
repadmin /replsummary site:Site Name
If you want to check the replication with the wildcard character, that server name starts with MG, you
can use the below command
repadmin /replsummary mg*
Active Directory Health Check

How to perform active directory health check: As an administrator you have to check your active
directory health daily to reduce the active directory related issues, if you are not monitoring the health
of your active directory what will happen
Lets say one of the Domain Controller failed to replicate, first day you will not have any issue. If this
will continue then you will have login issue and you will not find the object change and new object,
thats created and changed in other Domain Controller this will lead to other issues
If the Domain Controller is not replicated more then 60 days then it will lead to Lingering issue
Command to check the replication to all the DCs(through this we can check Active Directory
Health)
Repadmin /replsum /bysrc /bydest /sort:delta
You can also save the command output to text file, by using the below command
Repadmin /replsum /bysrc /bydest /sort:delta >>c:replication_report.txt
This will list the domain controllers that are failing to replicate with the delta value
You can daily run this to check your active directory health
Force sysvol replication
Your can restart the FRS service to force FRS replication in an active directory
To restart the FRS service, launch services.msc from the Run option on the Start Menu
And restart the FRS service and you will get the Event ID 13516 on FRS event log this will ensure
the FRS status is fine
Learn more on Force FRS/SYSVOL Replication on windows server 2008 and 2012
How do I force Sysvol replication in an active directory
Forcing Sysvol replication through NTFRSUTL
If you want to force sysvol replication between two domain controllers in an active directory then use
the below procedure
NTFRSUTL FORCEREPL Command-Line Option to Force Replication
You can use the new ntfrsutl forcerepl command to enforce replication regardless of the predefined
replication schedule. This is only implemented for the domain controller Sysvol replica set.
ntfrsutl forcerepl [Computer] /r [SetName] /p [DnsName]
This command forces FRS to start a replication cycle. You must specify the Computer, SetName and
DnsName.
Note In this command, the following placeholders are used:

[Computer] = Connect with the NtFrs service on this machine.
[SetName] = The name of the replica set.
[DnsName] = The DNS name of the inbound partner to force replication from.
For example:
ntfrsutl.exe forcerepl DestinationDC /r Domain System Volume (SYSVOL share) /p

SourceDC.domain.com
The quotation marks in this example are required when you use the /r option. If the quotation marks
are not present, the command will not work.
Force SYSVOL replication on Windows 2008/Windows 2012
Understand more about SYSVOL folder structure
General SYSVOL troubleshooting
How SYSVOL replication works
Force FRS Replication on windows server 2008 and 2012
Force active directory replication(Force AD

replication)
How do I synchronize/Force AD replication between two domain controllers in a Domain, normal AD
replication is scheduled however some time we require to synchronize manually
There is many ways to do this we will see one by one
Force active directory replication / Force AD replication through the

Microsoft Management Console (MMC) or Forcing replication through
Active Directory Sites and Services snap-in
1. Go to Start > Programs > Administrative Tools > and open the Active Directory Sites and
Services MMC.
2. Expand the Sites container in the left pane by clicking the plus (+) to the left of it.
3. Expand the container that represents the name of the site containing the server that needs to be
synchronized.
4. Expand the Servers container and then expand the target server to display the NTDS settings
object.
5. Click the NTDS Settings option. In the right pane should now be a list of the target servers
replication partners.
6. Right click a connection object in the right pane and click Replicate Now
Force active directory replication through Replmon Tool
1. Go to Start > Run > type replmon >and this will open a Replmon console
2. Click on > edit and select > Add monitored server
3. Select >Add the server explicitly by name >Next
4. Enter the server name that needs to be synchronized > Finish
5. Expand the Partition that needs to be synchronized (Exg: Domain partition)
6. Select the connection object needs to be synchronized
7. Right click a connection object and click Synchronize with this replication partner
8. Wait for the replication
9. You will get the status message once the replication get completed
10. If any error while the time of replication then you will get the meaningful error message
Force active directory replication through Repadmin command
Open the Command prompt CMD

Syntax:
repadmin /replicate destination_dsa source_dsa Naming Context
Example:
repadmin /replicate server2.Domain.com server1.Domain.com dc=Domain,dc=com
Destination server Name: server2.Domain.com

Source server Name: server1.Domain.com
Naming Context : dc=Domain,dc=com (Domain partition)
Additional switches
/force
This parameter is used to override the Disable Replication option on a directory server. Do not use
this parameter unless you are certain that replication has been disabled, and that you want to
override this setting.
/async
Specifies that the operation will be asynchronous. This means that repadmin starts the replication
event, but it does not expect an immediate response from the destination directory server. Use this
parameter when there are slow links between directory servers.
/full
Forces a full replication of all objects from the destination directory server.
/allsources
A given destination can have multiple sources for the same naming context. Directs the destination
to sync with all sources instead of just one. This parameter cannot be used with source_dsa.
Force replication with all of its replication partners
I would strongly recommend to use the Replmon tool or repadmin command,to force active
directory replication since you will get the meaningful error message and the status message
once the replication get completed
ACTIVE DIRECTORY TROUBLESHOOTING
Windows Server 2012 Active Directory Trust

Relationship Problem
0 Comment
You use to get the error message The security Database on the server does not have a computer
account for this workstation trust relationship. or shows Login ID or password incorrect while the
time of logon on Windows Server 2012 R2, most recommended solution is re-join toActive
Directory Domains or rebuild the server to fix the issue, before doing re-join/rebuild just make sure all
the configuration like SPN (ServicePrincipalName), UPN (UserPrincipalName) are correctly
configured, will discuss in detail with steps
Also Read: How to troubleshoot workstation Trust relationship issues on Domain
Will get the error like below while the time of Domain Login
How to check UserPrincipalName and DNSHostName
Go To Run
Type ADSIEDIT.msc
Browse to the computer object
Click Properties
Check the UserPrincipalName and DNSHostName Value
UserPrincipalName should be computername@Domainname(computer1@windowstricks.in)
DNSHostName should be computername.domainname (computer1.windowstricks.in)
Correct the value if require
Also Read: Domain Account unable to log-in with cached credentials on Windows 10
How to check the ServicePrincipalName
Open CMD
Type below command setspn l computername (setspn l computer1)
You should get below result
HOST/computer1
HOST/computer1.windowstricks.in
Also Read: Shortcut Keys for Windows server 2012 and 2012 R2
If the affected servers are on VM
Check the Time and time sync issue on affected servers, If servers are hosted on VMs then disable
time sync on vmware, so that all client will sync their time from domain PDC, check my previous
article Can my hyper-v server be a Windows Time Server?
Also Read: Differences between Windows Server 2012 R2 Hyper-V and Hyper-V Server 2012 R2
Also Try this
Issue may be with NETBIOS Name on Domain name, try to rejoin back to Domain using NETBIOS
Nam(domain), unlike the Domain FQDN (domain.com) while joining the affected server to Domain
If any of above solution fixing the issue, re-join the affected server back to Domain and also try to
rebuild the server to fix the issue
Also Read: Active Directory Features in Windows Server 2012
Account lockout caller computer name

blank, CISCO, workstation and domain
controller
0 Comment
I have worked on many complicated account lockout issues, lockout event showing wrong source
machine like caller computer name empty, workstation, Cisco, and some time it shows the domain
controller name itself, some time workstation name in the lockout event does not exist in AD, in my
earlier article (Account Lockout) have explained how to find the source of lockout without any tools,
in this post I will explain in details how to find the exact correct offending system
Also Read: Active directory user attributes auditing using object Meta
Since we are using multiple applications with single sign on (SSO) and having different
forest/Domain environment which complicate the simple lockout issue, no worries! For all the above
issue almost same solution which help you to fix the issue
If lockout causing system not within Active Directory then you will see issue like this, and application
like proxy server, messaging application like exchange server, Java application, UNIX system which
is not directly connected to active directory services
Also Read: Lastlogon and Lastlogontimestamp attribute value in CSVDE output

Enable netlogon logging for account lockout on Source DC
First Enable netlogon logs on source DC and review the log on lockout time, you find the lockout
system/server details with IP address
Open CMD with Admin privilege (Command prompt)

Run below command
Nltest /DBFlag:2080FFFF
And run below commands to restart netlogon Service
net stop netlogon
net start netlogon
Wait for next lockout and open %windir%\debug\netlogon.log to review the logs
Also Read: How to extract bulk object from AD with list of attributes (Part 1)
Further Analysis to trace the lockout system
Some time even netlogon logs point to different DC/server, in that case you have to enable Enable
netlogon logs on that DC/server to find the source of lockout
In my experience, find the sample account lockout scenario
Child Domain DC showing the root Domain DC

Root Domain DC shows the Trusted Domain DC
Trusted Domain DC shows different DC from Same Domain
Again this DC shows exchange server
Exchange server shows the handheld device IP
All you have to do trace the lockout system by enabling netlogon logs to reach the actual lockout
system
How to find Computers with Trust

relationship issues on your Domain
0 Comment
One of my readers facing the problem is that many of the PCs are having Trust relationship issues
but he doesnt have a list of PCs which are having this issue. The users are able to login to the
domain account in these PCs and Group policies also seem to work in many of these PCs
Before list the workstation with Trust relationship issues on your Domain, read How to troubleshoot
workstation Trust relationship issues on Domain, on my previous article, checking a single computer
is easy one, just use the net command and loop command can be used for list of computers
Also Read: AD Slow Authentication and prompting for credentials again and again
How to find computer account issue
You can check this with net command to check the trust relationship, run this from local Domain
controller with Domain Admin permission
net use \\computername
net view \\computername
Computer must me connect to network to check this, you will get the Access is denied error or any
other error
Comman To check this for list of Computers or all Domain joined systems
Looping can be used to check the bulk computers, like below command
For /f "tokens=1-3 delims=;" %a in (list.txt) do net use \\"%a" >>c:\temp\result.txt
Review the result file to find the affected computers in the newtwork
Also Read: Active directory Troubleshooting (Part1 Diagnostics Logging)
Powershell Command to check Trust relationship issues on all the computers in a Domain
Import-Module ActiveDirectory
$computers = Get-ADComputer -Filter *
Foreach ($computer in $computers)
Enter-PSSession -ComputerName $computer -Credential #<Provide the username>#
Invoke-Command -ComputerName $computer -ScriptBlock { $a = Test-ComputerSecureChannel }
if ($a -eq 'True')
Add-Content "c:\ComputerDetailsWithCorrectTrustRelationship.txt" $computer + ";" + $a
else
Add-Content "c:\ComputerDetailsWithWrongTrustRelationship.txt" $computer + ";" + $a
}
}
Also Read: Active Directory real time issues and solutions
How to troubleshoot workstation Trust

relationship issues on Domain
0 Comment
How Trust relationships affect the Computers?
Domain joined workstations and member servers are had a Trust relationship with Domain in order to
authenticate, and reset the computer account password every 30 days by default, you will get the
below error if any mismatch between computer password on workstation and on Domain controller
Event ID 5723: The trust relationship between this workstation and the primary domain failed.
The session setup from the computer DOMAINMEMBER failed to authenticate.
The name of the account referenced in the security database is DOMAINMEMBER$.
How to check and confirm computer account issue

other error
Also Read: Domain Controller failed test Machineaccount on DCDIAG
Why this error occurs/ trust relationship between this workstation and the primary domain
failed
As I said all computer account change the password every 30 days by default, while doing the
password change it contacted authenticated Domain Controller/ secure channel (SC) Domain
Controller, if any network issue between Domain controller and workstation will affected the new
change password update to DC and that cause the issue
Solution:
Mostly this will affect the legacy operating system like Windows Xp/windows server 2003, just disjoin
and rejoin the machine to the domain to resolve the issue, you should have a required permission to
do this
Operating system like windows server 2008/2012 are not affected by this issue, even the same
solution will apply if you get this issue in windows server 2008/2012 R2

Monitor NTLM authentication delays and
issues on Windows 2008 and 2012
By ganesamoorthy s | July 26, 2015
0 Comment
Events to track authentication delays and issues: Finally we have new event log entries that can
track NTLM authentication delays and issues in Windows Server 2008 R2, in a complex environment
with multiple Forests and multiple Domains NTLM authentication request will be more and its difficult
to monitor and track the Bottlenecks
intermittently and experience time-outs when you connect to Authenticated Services
Install http://support.microsoft.com/kb/2654097 to enable event log entries that track NTLM

authentication delays and failures
After installing the above hotfix, EventLogPeriodicity and WarningEventThreshold registry entries
needs to be configured as per your requirement
Event ID: 5816 to Event ID: 5819 has been logged for if any error or warning condition is met
Some of the issues in application end for NTLM authentication delays
Web Services and Web Proxy:
Web clients are frequently prompted for credentials

Web clients receive delayed responses from the web server.
Exchange client:
Outlook receives delayed responses from the server.

Outlook is frequently prompted for credentials
Some of known issues for high authentication flow and authentication delays
There are highly transactional and heavily used application services in the environment.
There is heavy use of scripts that use the NTLM authentication through WINNT provider
Not properly configured applications and services to use Kerberos authentication (SPN
Configuration to use only Kerberos)
Bottleneck:
Mostly occurs when a high volume of NTLM authentication or Kerberos PAC validation transactions
occur on an application server, and that volume is greater than the volume that can be handled at
one time by the application server or the domain controllers that are providing authentication.
Also Read: Troubleshoot Active Directory Server Replication
Solution:
For applications and services that are using NTLM, just configure them to use Kerberos
authentication only.
Default Maxconcurrentapi Value:
Workstations One of the threads available for use
Member servers Two of the threads available for use
Domain controllers One available thread per security channel to trusted domains
Configure MaxConcurrentApi :
Have a calculation to decide what value to set for the MaxConcurrentApi setting in your
environment to resolve the issue, refer https://support.microsoft.com/en-us/kb/2688798
Also See: Active Directory real time issues and solutions
Replsummary showing unknown for largest

delta on AD replication checks
0 Comment

fromserver
value
Error

Account lockout

DNS Entry of Domain Controller are Resolving to
Incorrect value
One of the Domain Controller DNS entries pointing to wrong IP Address (resolving with the wrong IP
address) which is affected Active Directory authentication and other services. This is a unique issue
which I have come across
Its a single forest with multiple child domains as the architecture, when try to resolve one of the child
Domains Domain Controller from other child domain, it resolve to incorrect value and after sometime
the DNS servers will resolve with the correct IP addresses
Affected Domain Controller configured with Correct IP and no issues with DNS resolution with in
same domain, issue seen if we resolve from other child domain and was very intermittent, sometime
resolves correct IP and sometime not
Root Cause:
Cross Domain DNS resolution through DNS zone delegation (not through DNS forwarder
/conditional forwarder), found the wrong IP configured on the NS record from DNS zone delegation
for child domain on root Domain
Domain Controllers on all child domains are configured with DNS forwarder to root Domain and DNS
zone delegation configured for all child domains on root Domain, will able to resolve any Domain
DNS from All the Domains
Solution:
DNS zone delegation with manual NS record that causes the issue, if we change the Domain
Controller IP address, need to change the NS record IP address on DNS zone delegation to avoid
this issue
Or
Need to configure conditional forwarder on all DNS servers for each Domain with multiple IP address
for redundancy
Force DFS Replication/Force DFSR Members to
Replicate on windows server 2008 and 2012
Force sysvol replication on windows server 2008/2012, FRS has been replaced by DFSR Replication
engine for replicating the SYSVOL folders from Windows Server 2008 & wundows server 2012 and
file replication performance has been improved with many new features, Microsoft manage to fix
most of the bottlenecks, improved command line support, Content Freshness, handling unexpected
shutdowns and reporting
Learn more on Force FRS Replication on windows 2000/2003, from my old article
There are many ways to replicate DFSR folders, will start with DFS Management
DFS Management tool includes the ability to force the replication to occur immediately
by overriding the replication schedule
Open DFS Management Tool
On console tree under the Replication node
Select the appropriate replication group
Select Connections tab
Right-click the member you want to use to replicate
And then click Replicate Now
Forcing DFSR replication through Dfsrdiag
You can also force the replication using Dfsrdiag SyncNow command
For Sysvol folder on Domain Controller
Run this from one Domain Controller and specify the other Domain Controllers in the partner
parameter
Dfsrdiag syncnow /rgname:domain system volume /partner:dc2 /time:1 /verbose

For other folders on DFSR Server
Dfsrdiag SyncNow /partner:dfsserver2 /rgname:domainname\app\folder1 /member:dfsserver1

/time:5
Force the replication using the Dfsrdiag PollAD command, DFSR server will check with Active
Directory for replication changes and same has been replicated, need this to be run from destination
DFSR server
c:\Dfsrdiag PollAD
Force FRS Replication on windows 2000/2003
Command to find Duplicate SPN

Find Duplicate SPN: A Service Principal Name (SPN) is a concept from Kerberos. To find a
particular service offered by a particular host within the domain. General Syntax of SPNs is service
class/fqdn@REALM , There are also User Principal Names which identify users, in form
of user@Domain
Kerberos requires that the SPN be unique and there should be a single SPN configured for a
particular service with a service account on a computer object, some time we use to get the system
Event 11, find the below example
The KDC encountered duplicate names while processing a Kerberos authentication request. The
duplicate name is <insert name here>. This may result in authentication failures or downgrades to
NTLM. In order to prevent this from occurring remove the duplicate entries for <insert name here yet
again> in Active Directory. more
Command to find duplicate service principal name in active directory

csvde -f C:\Temp\spn.csv -d dc=domain,dc=in -r (ServicePrincipalName=*computer_name*) -l
cn
Above command will return all the object which contain servername on ServicePrincipalName
attribute on domain.in Domain
Finding the Duplicate SPN in Windows 2008 is very simple, yes we have an updated SETSPN
command which has a X and -Q switch and this can be used to find the Duplicate service principal
name
setspn -X
Here are the new switches for SetSPN that ships with Windows 2008:
Modifiers:
-F = perform the duplicate checking on forestwide level
-P = do not show progress (useful for redirecting output to file)
Switches:
-R = reset HOST ServicePrincipalName
Usage: setspn -R computername
-A = add arbitrary SPN
Usage: setspn -A SPN computername
-S = add arbitrary SPN after verifying no duplicates exist
Usage: setspn -S SPN computername
-D = delete arbitrary SPN
Usage: setspn -D SPN computername
-L = list registered SPNs
Usage: setspn [-L] computername
-Q = query for existence of SPN
Usage: setspn -Q SPN
-X = search for duplicate SPNs
Usage: setspn -X
The Q switch is really the nice feature here. This allows you to see if an SPN is already out on your
domain. You could also combine this with the F modifier to look through the whole forest.
C:\>setspn -q MSSQLSvc/computer_name:1433
No such SPN found.
C:\>setspn -q MSSQLSvc/computer_name.mydomain.com:1433
CN=MYMACHINE,OU=Workstations,DC=mydomain,DC=com
MSSQLSvc/mymachine.mydomain.com:1433
HOST/MYMACHINE
HOST/MYMACHINE.MYDOMAIN.COM
Existing SPN found!
For more info https://technet.microsoft.com/en-us/library/cc733945(v=ws.10).aspx

0 Comment

other error

{
if ($a -eq 'True')
else

0 Comment

other error
failed
Solution:
do this
Office 365 DirSync Error: Unable to update

this object because of missing attributes
By ganesamoorthy s | November 4, 2015
0 Comment
One of our reader has an issue with the Office 365 syncing with their on-premises active directory,
getting below error while running DirSync, error is as follows
Unable to update this object because the following attributes associated with this object have values
that may already be associated with another object in your local directory services
IdFix DirSync Error Remediation Tool identifies the issues with DirSync, and it appears that the
targetAddress and mailnickname attribute is causing the issue and further troubleshooting found the
targetAddress and mailnickname attributes are missing on on-premises AD user account that are set
in office 365
Also Read: Unable to archive older emails in Microsoft Office 365
targetAddress and mailnickname attributes are not under user properties in adsiedit also, so issue
with the attributes not the attributes values
Why targetAddress and mailnickname are requited for Office 365 to DirSync with AD
During co-existence, if Office 365 users need to see Global Address List then targetAddress and
mailnickname attributes are required with other mandatory attributes, you need to populate these AD
attributes
Reed Also: Active Directory on Cloud
Why targetAddress and mailnickname are attributes are missing?
If you cannot find this attributes then need to prepare the AD Schema for Exchange to resolve the
issue, you need to run the below command from the Exchange 2010 media to add this attribute to
the AD Schema
setup /PrepareSchema
Note: Should be member of Schema Admins and Enterprise Admins groups and server should be64-
Bit and holding the Schema Master role (Dont use setup.exe to run this command, just use setup)
Once schema extensions been added, we are able to use idfix to make the changes to my user
object and sync up the changes to azure AD
Also Read: Difference between DirSync, Azure AD Sync and Azure AD Connect
DNS Entry of Domain Controller are

Resolving to Incorrect value
By ganesamoorthy s | May 24, 2015
1 Comment
Root Cause:
Solution:
this issue
Or
for redundancy
Active directory user attributes auditing

using object Meta
1 Comment
On active directory auditing we want to know who, when and where the Active Directory Attributes
are changed, like who removed the group from an Active directory user account, who changed the
account description or any other Active directory object attribute changes
All Active directory object changes are stored in object Meta and can be viewed through repadmin
command, its been very useful if you want to know the last changes on any attributes in an object
(User Object, Computer Object, Group Object and any other AD Object)
To get the LDAP path/ User DN
Dsquery user name <name>
To get LDAP path for Group, Computer, OU and other object, please check Find distinguished name
(LDAP path for the object)
To List the User object Meta
Repadmin /showobjmeta <User DN>
On the above Repadmin /showobjmeta output, list all the attribute changes with attribute name on
the right side and when the change happened with time and date on Org.Time/Date, we also get
the Originating DC
From output, find the attribute name and check the Originating Domain Controller for that
attribute change
Log in to Originating Domain Controller
Open the Event viewer
Select the Security logs
Scroll down to date and time on the Org.Time/Date
Now you will see attribute change Event with who done the change
Event log might get overwritten and you wont able to see the logs for requited date and meta will
only show the last attribute change even it got attribute updated many times, if user membership
removed on Monday and Friday, we only able to find the Fridays change because the user Meta on
Active Directory been overwritten on Friday, you can use this to do active directory auditing
Force DFS Replication/Force DFSR Members

to Replicate on windows server 2008 and
2012
By karthick s | April 23, 2015
0 Comment
Force sysvol replication on windows server 2008/2012, FRS has been replaced by DFSR Replication
engine for replicating the SYSVOL folders from Windows Server 2008 & wundows server 2012 and
file replication performance has been improved with many new features, Microsoft manage to fix
most of the bottlenecks, improved command line support, Content Freshness, handling unexpected
shutdowns and reporting
Learn more on Force FRS Replication on windows 2000/2003, from my old article
There are many ways to replicate DFSR folders, will start with DFS Management
DFS Management tool includes the ability to force the replication to occur immediately
by overriding the replication schedule
Open DFS Management Tool
On console tree under the Replication node
Select the appropriate replication group
Select Connections tab
Right-click the member you want to use to replicate
And then click Replicate Now

Forcing DFSR replication through Dfsrdiag
You can also force the replication using Dfsrdiag SyncNow command
For Sysvol folder on Domain Controller
Run this from one Domain Controller and specify the other Domain Controllers in the partner
parameter
Dfsrdiag syncnow /rgname:domain system volume /partner:dc2 /time:1 /verbose
For other folders on DFSR Server
Dfsrdiag SyncNow /partner:dfsserver2 /rgname:domainname\app\folder1 /member:dfsserver1

/time:5
Force the replication using the Dfsrdiag PollAD command, DFSR server will check with Active
Directory for replication changes and same has been replicated, need this to be run from destination
DFSR server
c:\Dfsrdiag PollAD
Force FRS Replication on windows 2000/2003

0 Comment
of user@Domain

cn
name
setspn -X
Modifiers:
Switches:
Usage: setspn -X
No such SPN found.
HOST/MYMACHINE
Existing SPN found!
How secure channel determine the Domain

controller in cross-forest
0 Comment
How client computer/member server find the logon Domain Controller from Cress Fores in an Active
Directory envirnment or How secure channel determine the Domain controller in cross-forest
If you are worked on troubleshooting the authentication issues between forests, you might be used
NLTEST tool to check the secure channel Domain controller, did you ever try to know how the
domain controller in one forest select the domain controller in other forest
In a local member server to Domain controller secure channel determined by the site-link and
respective DNS SRV record, like the same way Domain Controller to trusted Domain secure channel
determined by the site-link and respective DNS SRV record if you enabled the Site synchronization
Site synchronization
To locate the closest Domain Controller from the trusted domain, Domain should have knowledge of
the trusted domains site and site-link, you have to define the subnet of the DC in trusted Domain site
its like add the same subnet on both the Forest with corresponding site to match the user
authentication
To check how logon server from trusted forest been determined by the client , check the current
authenticated Domain Controller from client, and check the current secure channel/authenticated
Domain Controller from authenticated DC
Below command has been used to find the current authenticated DC from a Domain
Nltest /dsgetdc:Domain Name
Below command has been used to find the current secure channel Domain controller from
a Domain
Nltest /SC_QUERY:<DomainName>
Below command has been used to reset the secure channel to select different Domain
controller from corresponding Domain/Forest
Nltest /SC_RESET:<DomainName>
This will select the Domain Controller as per the design
If you want to reset the secure channel to select specific Domain controller
from corresponding Domain/Forest
Nltest /SC_RESET:<DomainName> \<DcName>
Seems to be simple and this is how secure channel determine the Domain Controller in Cross Forest
Can I restore a schema partition?

By mail2spi2014 | January 11, 2014
0 Comment
Straightforward answer is NO, Any change done in the schema cant be revert back by deletion or
restore, however we can deactivate the change (like attribute), there is no supported way of restoring
schema from the backup and you cant do authoritative restore of schema partition, the only option is
to do the forest
recovery
If its affected single DC then you can simply remove the DC by performing the metadata cleanup
Here are some of the alternatives for potential roll-back strategies:
1. Isolate schema master by disabling inbound/outbound replication, then perform the schema
update on the schema master, if something goes bad, blow up the schema master and repair the rest
of the forest (seize schema master on another DC and clean out the old schema master).
2. Shut down/stop replication on select DCs, may be 2 DC from each Domain and do the schema
upgrade, if something goes bad, kill all the DCs that were on-line and may have potentially replicated
the bad schema. Light up the DCs that were offline and repair/restore your forest. Please see the
best practice for schema change
Active directory Troubleshooting (Part1

Diagnostics Logging)
2 Comments
How do I find what is accessing my LDAP Server and what LDAP query used
and how many queries for a period of time?
Troubleshooting Active Directory issues like authentication failures, performance issues

and logon issues, we can use different methods to monitor the AD, I will discuss more
about enabling diagnostics logging, adding related counters on performance monitor to
monitor the AD, Enabling debug logging for the Net Logon service
As an Active Directory Administrator did any one asked the questions like, how many
search operations Active Directory performed and who searched from which server?
Number of secure channel connection to which Domain and Domain controller? Number
of Kerberos authentications on the server per second? Number of connected LDAP client
sessions
While doing the troubleshooting you may have this question or some one asked the
question to resolve the issue, am going discuss how to find the answer for this
Also See: How secure channel determine the Domain controller in cross-forest
Active Directory Diagnostics logging
To get more data about the directory service we have to enable Active Directory
Diagnostics logging to respective Domain controllers in the registry
(HKLMSYSTEMCurrentControlSetServicesNTDSDiagnostics)
We have below values in Diagnostics logging, when enabled, it will dump additional
events into the DC event log to assist with troubleshooting. You can change these
values from zero to five, the default value is zero, meaning minimal verbosity, and a
setting of five will dump more than you want, normally I use four (if require five)
Note: Make sure to reset the value to zero when troubleshooting is completed
The most common values for Active Directory Diagnostics logging:
1 Knowledge Consistency Checker

10 Performance Counters
13 Name Resolution (this is DNS related)
15 Field Engineering
18 Global Catalog
2 Security Events
5 Replication Events
8 Directory Access
9 Internal Processing
I have used 15 Field Engineering value many times to find the inefficient LDAP queries
including the client who was the source of the query with query string and the root of
the query. This is important because one of the headaches related to AD is the LSASS
process (Local System Authority Subsystem Service) using up enough resources to
hang or crash a DC and cause client log on delays. Inefficient LDAP queries by a user or
by an application or Linux client log on will put a huge load on LSASS. Enabling this
diagnostic log will quickly identify the affected system or IP address in your network
that casing the problem, so you will know which system searching the AD (querying the
info from AD) and what info the system searching, this will help you to find the root
cause of the issue, it helped me in many occasions
Also See:Active Directory real time issues and solutions
Example Events:
You will receive Event ID: 1643 if the value of 15 Field Engineering set to 4
Event Type: Information

Event Source: NTDS General
Event Category: Field Engineering
Event ID: 1643
Date: 28/05/2012
Time: 1:35:26 p.m.
User: NT AUTHORITYANONYMOUS LOGON
Computer: server1
Description:
Internal event: Active Directory performed the following number of search operations
within this time interval.
Time interval (hours):

12
Number of search operations:

30937
During this time interval, the following number of search operations were characterized
as either expensive or inefficient.
Expensive search operations:0
Inefficient search operations:0
You will receive Event ID: 1644 if the value of 15 Field Engineering set to 5
If you set the value to 5 you will see an event entry for each search against the
directory that breaches the inexpensive and/or inefficient search thresholds.
Event Type: Information
Event Source: NTDS General

Event Category: Field Engineering
Event ID: 1644
Date: 28/05/2012
Time: 10:06:25 a.m.
User: TMAdministrator
Computer: server1
Description:
Internal event: A client issued a search operation with the following options.
Client:
192.168.100.1
Starting node:
DC=test,DC=com
Filter: ( & (objectClass=user)

(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=test,DC=com)
(sn=z*) )
Search scope:
subtree
Attribute selection:
sAMAccountName
Server controls:
Visited entries:
24579
Returned entries:
25
Conclusion:
But you wont actually see anything in the event log until you have enabled diagnostics
logging by modifying the registry.
Like that for replication troubleshooting, you can enable 1 Knowledge Consistency
Checker and 5 Replication Events, The 9 Internal Processing value is for getting
additional details for DS events that indicate an internal error has occurred. This will
often cause additional events that will aid in diagnosing the problem
Part 2 of Active Directory Troubleshooting article, hope this will help you
AD Slow Authentication and prompting for
credentials again and again
By mail2spi2014 | December 20, 2013
0 Comment
AD Slow Authentication and prompting for credentials again and again (Active directory
Troubleshooting Part 2)
Its a most common issue in a complicated Active Directory environment, before am going to discuss
about the authentication issues, I would like to discuss about the Active Directory basics like Pass
through authentication, AD secure channel, NTLM and Kerberos
Pass through authentication
If you are worked on multi Domain/Forest environment or environment designed with user forest and
resource forest, an Exchange Server resource forest topology has two forests. One forest contains
the all the user accounts for your organization. This forest is called the user forest (accounts forest).
The other forest does not contain any user accounts. It only contains the Exchange Server and
disabled user accounts, in simple you have one Active Directory forest where your user accounts live
and another Active Directory forest where your application are lives (Exchange server, File server)
In the above scenario Domain controller receiving the request from Exchange/file server to verify the
user access, this must pass the request to Domain controller in the user forest, we should have the
trust between domain of the server (called the resource domain/forest) and the domain of the user
account (called the account domain/forest)
User from Domain A try to access application on server from Domain B, application server in
Domain B doesnt have user detail, it will check the local Domain controller on Domain B through
workstation secure channel, and Domain controller on Domain B check the Domain controller on
Domain A through trusted domain secure channel and Domain A return back the authentication to
Domain B its called the pass through authentication since the user authentication request been
passed to user domain.
Secure Channel
I have discussed about the secure channel, what is secure channel? Its a communication channel
provides more secure communication path between the domain controller and the workstations or
member servers. It can also be used to retrieve domain-specific information, handling NTLM
authentication pass-through to the domain controller or from DC to DC for the same.
Two Forest or Domain connected through Forest trust / Domain trust, trust establishment is a shared
secret (called a trust password) that domain controller use in the two domains for computing the
session key that is used for protecting the secure channel traffic. By using this secure channel, the
DC in the resource domain can pass logon requests securely to the DC in the account domain, in the
same way that the server passed the logon request to the former DC. The secure channel between
DCs in two domains that are connected via a trust relationship is called a trusted domain secure
channel. In contrast, the secure channel between the member server and the DC in the resource
domain is called a workstation secure channel
While adding a computer to domain, computer account has been created in Activity directory and
password been generated for computer account, computer account password been changed every
30 days and stored in computer and domain controller, while power on the computer, Netlogon
service on computer use the computer account password from the computer is authenticated against
the password on the Domain Controller and establishes a secure channel with that DC, same way
server creates a secure channel with that DC it get authenticated
For Domain controller, Netlogon service sets up secure channels with all the trusted domains (one
Domain controller in each trusted domains) you can check this using Nltest command
To check the current secure channel with a particular Domain
nltest /sc_query:Domain Name
To reset secure channel to different Domain Controller (this will randomly select the Domain
Controller)
nltest /SC_RESET: Domain Name
To reset secure channel to a particular Domain Controller
nltest /SC_RESET: Domain Name Domain Controller Name
You can change the Domain and Domain Controller Name as per your requirement
For remote server you can add
/server: server name
NTLM and Kerberos

NTLM and Kerberos are the protocols used for authentication, we all know NTLM is outdated and
Kerberos is the new protocols used for authentication, Kerberos can impersonate a user when
trusted, so no need to contact Domain controller every time in order to authenticate access to a
resource, If the client is logged on to a domain, the browser never prompts the user for credentials; it
simply uses the users default logon credentials.
We are not using NTLM any more? No still some areas where we have to use NTLM for the sake of
compatibility, RPC over HTTP to connect to an Exchange mailbox. ISA for web proxy servers, lets
go in deep how its works
Client opens a URL through browser

Client browser sent a request to proxy server with integrated authentication credentials
The proxy server needs to verify the user credentials, by sending the authentication request
to the domain controller is has a secure channel
That domain controller responds to the proxy server
The proxy server answers the client with the requested internet page
Seems to be simple however for each web connection from a client, the proxy server needs to verify
the user credentials by sending authentication request to the DC, this will increase the high volume
of NTLM authentication
Think the similar scenario in multi Domain/Forest environment, user in one Forest and proxy server
in other Forest, this will increase the NTLM Pass through authentication traffic
NTLM authentication handled by Netlogon service, passing NTLM authentication requests to a

domain controller that can handle them, and receiving them on that domain controller to be handled,
you can enable debug logging for the Net Logon service to see what happen on the proxy server /
domain controller, like which user getting authenticated to which domain controller
We have number of threads which will authentication request, like number of concurrent NTLM
authentications processed by the server, the defaults are typically 1 for this, meaning that there is
one thread to hand off, receive and process these requests, we can re-configure this through
MaxConcurrentApi
The MaxConcurrentApi thread can only deal with one authentication at a time, in normal scenario it
is very quick. So the high volume of authentication transactions must be handled by one or two
threads (by default) and this will be a bottleneck, which resulting the delay and the authentication
request have to wait longer than a remote client can tolerate
Due to this delay, client browser would ask for a credential prompt rather than the web page he want
to open, so this might be the issue for slow Authentication and prompted for credentials again and
again
We can resolve this by increasing the MaxConcurrentApi value on proxy server, if its a multi
Domain/Forest environment, then we needs to increase the MaxConcurrentApi value on resource
forest Domain Controller, it depends on the configuration
First we have to understand current issue

Enable the Netlogon logs on proxy server and Domain Controller authenticating proxy server
or the proxy server secure channeled Domain Controller
Analysis the log for authentication failure and delay
We can monitor the current secure channel traffic through the perfmon by adding the
counters, Semaphore Waiters, Semaphore Holders, Semaphore Acquires, Semaphore
Timeouts, Average Semaphore Hold Time
Logon to Domain Controller authenticating proxy server
Open perfmon, add counters select Netlogon on performance object
And select Average Semaphore Hold Time
If you dont find the counters, need to install http://support.microsoft.com/kb/928576 hot fix,
This adds New performance counters for Windows Server 2003
If the Average Semaphore Hold Time is greater than normal, Average Semaphore Hold Time should
normally be very quick. Longer hold times mean that a potential bottleneck is occurring, it will delay
authentication process and the authentication request has to wait longer than a remote client can
tolerate, it will slowdown the authentication and prompted for credentials to re-initiate the
authentication process
To calculate MaxConcurrentApi for your environment
http://support.microsoft.com/kb/2688798
It depends on the outcome, you should add more servers to service the legacy authentication load or
increase the MaxConcurrentApi registry value
Warning rules:
Average Semaphore Hold Time > 0.2 should be a yellow warning.
Average Semaphore Hold Time > 0 should be a red warning.
Semaphore waiters > 1 should be a yellow warning.
Semaphore waiters > 4 should be a red warning.
Any Semaphore Timeouts is a red warning.
Conclusion:
Slow Authentication might be due to many issues, like client to DC connectivity, network, subnet and
site configuration, DNS SRV configuration, Profile, logon script and GPO, so you have to analysis
properly to find the root cause, this is the one of the scenarios which I have faced many times in a
complex environment, hope this will help you to understand the Active Directory Authentication and
troubleshooting procedures see you soon in an another article.
Active directory Troubleshooting (Part1 Diagnostics Logging)
Active Directory On-premises User name did

not match with their Office365 User name
By ganesamoorthy s | August 2, 2016
0 Comment
If you connect your on-premises active directory toAzure Active Directory and force Directory
synchronization then your local AD users account been replicated to Azure AD, user accounts in
both the AD will be synch with 100 percentage and local On-premises user able connect Office365
their local user and domain login, some time you may see a mismatch between on-premises active
directory to Office 365 username, how to fix this issue? Is there a way to replicate changes on-
premises to AAD to resolve the mismatch?
Also Read: Can we Replace on-premise Domain Controller with Cloud-based Active Directory
Is above scenario you will see the duplicate user account on Azure Active Directory, one replicated
from on-premises active directory and another existing account on office365/AAD
You will see 2 user account after synchronization through the AD connector, now you have two
users in AAD, one existing user from Azure Active Directory and one replicated user from local active
directory, Is there any way to associate or merge these two users together within AAD
Also Read: Office 365 DirSync Error: Unable to update this object because of missing attributes
Solution:
To fix the issue remove newly created account from Azure AD, then use the soft-match mechanism
to link the on-premises object to Office 365 user accounts for directory synchronization
Follow below steps to match an on-premises user to an Azure AD / Office 365 user account
for directory synchronization (SMTP matching)
Make a note ofprimary SMTP address of the target Office 365 user account
Create a user account in on-premises domain that matches the target Azure AD / Office 365
user account
Set primary SMTP address of the newly created user to match the primary SMTP address of
the target Office 365 user account
Force directory synchronization (details steps from MS)
Hope this will help you to fix the issue, come back for more interesting articles on Windows Tricks
Other Microsoft Cloud Services and more about Cloud Computing
Can we Replace on-premise Domain

Controller with Cloud-based Active Directory
0 Comment
If you are looking for cloud-based Active Directory as a replacement for on-premise domain
controller, like Active Directory without on-premise domain controller, we have an Azure Active
Directory is cloud-based identity and access management service hosted in Microsoft datacenter, If
you are looking to get rid of physical Domain Controller then Virtual machine in Azure or AWS is an
option and is fully supported however if you are looking to get away from running a Windows Server
and all of the usual OS maintenance tasks, like patching, group policies, there is no cloud alternative
available.
Also Read: Active Directory on Cloud (Azure Active Directory)

If you dont have any on-premises server dependencies and are using all cloud services such as
Exchange Online and Onedrive for all file storage, or Microsoft Office 365 solutions and just need
basic Windows desktop management, Azure Active Directory and Intune and windows 10 and there
wont be any servers or server OS to manage/support
Also Read: Windows 10 compatibility with Windows Server 2003
So Windows 10 clients cannot directly communicate with an Azure AD, and Azure AD cant used for
user logon authentication, we cant replace on-premise domain controller with cloud-based
Active Directory
However we can join Windows 10 workstation computer to Azure AD Domain, as per Microsoft this is
for the devices that access cloud services and not a recommended solution who need a fully
functional desktop and Active Directory environment, more from MS on Windows 10 Domain Join
Also Read: Can my hyper-v server be a Windows Time Server?
Recommendation:
Why cant use on-prem Domain Controller, VM can be used and its relatively lightweight,
Local Domain Controller can be sync with Azure Active Directory
Domain Controller Can be moved to virtual machines in Azure
We have to set up a site-to-site Azure Virtual Network from your premises network to Azure, and
migrate local Active Directory Domain Controllers and Active Directory Federation Services (ADFS)
to virtual machines in Azure, should be planned well and you should have a good network
connection between local network with MS Azure network to implement this

Also Read: Windows Server 2016 Features

0 Comment
other error
if ($a -eq 'True')
}
else

0 Comment
other error
failed
Solution:
do this
Office 365 DirSync Error: Unable to update

this object because of missing attributes
By ganesamoorthy s | November 4, 2015
0 Comment
One of our reader has an issue with the Office 365 syncing with their on-premises active directory,
getting below error while running DirSync, error is as follows
Unable to update this object because the following attributes associated with this object have values
that may already be associated with another object in your local directory services
IdFix DirSync Error Remediation Tool identifies the issues with DirSync, and it appears that the
targetAddress and mailnickname attribute is causing the issue and further troubleshooting found the
targetAddress and mailnickname attributes are missing on on-premises AD user account that are set
in office 365
Also Read: Unable to archive older emails in Microsoft Office 365
targetAddress and mailnickname attributes are not under user properties in adsiedit also, so issue
with the attributes not the attributes values
Why targetAddress and mailnickname are requited for Office 365 to DirSync with AD
During co-existence, if Office 365 users need to see Global Address List then targetAddress and
mailnickname attributes are required with other mandatory attributes, you need to populate these AD
attributes
Reed Also: Active Directory on Cloud
Why targetAddress and mailnickname are attributes are missing?
If you cannot find this attributes then need to prepare the AD Schema for Exchange to resolve the
issue, you need to run the below command from the Exchange 2010 media to add this attribute to
the AD Schema
setup /PrepareSchema
Note: Should be member of Schema Admins and Enterprise Admins groups and server should be64-
Bit and holding the Schema Master role (Dont use setup.exe to run this command, just use setup)
Once schema extensions been added, we are able to use idfix to make the changes to my user
object and sync up the changes to azure AD
Replsummary showing unknown for largest

delta on AD replication checks
0 Comment


fromserver
value
Error
DNS Entry of Domain Controller are
Resolving to Incorrect value
1 Comment
Root Cause:
Solution:
this issue
Or
for redundancy
Active directory user attributes auditing

using object Meta
1 Comment
On active directory auditing we want to know who, when and where the Active Directory Attributes
are changed, like who removed the group from an Active directory user account, who changed the
account description or any other Active directory object attribute changes
All Active directory object changes are stored in object Meta and can be viewed through repadmin
command, its been very useful if you want to know the last changes on any attributes in an object
(User Object, Computer Object, Group Object and any other AD Object)
To get the LDAP path/ User DN
Dsquery user name <name>
To get LDAP path for Group, Computer, OU and other object, please check Find distinguished name
(LDAP path for the object)
To List the User object Meta
Repadmin /showobjmeta <User DN>

On the above Repadmin /showobjmeta output, list all the attribute changes with attribute name on
the right side and when the change happened with time and date on Org.Time/Date, we also get
the Originating DC
From output, find the attribute name and check the Originating Domain Controller for that
attribute change
Log in to Originating Domain Controller
Open the Event viewer
Select the Security logs
Scroll down to date and time on the Org.Time/Date
Now you will see attribute change Event with who done the change
Event log might get overwritten and you wont able to see the logs for requited date and meta will
only show the last attribute change even it got attribute updated many times, if user membership
removed on Monday and Friday, we only able to find the Fridays change because the user Meta on
Active Directory been overwritten on Friday, you can use this to do active directory auditing

0 Comment
of user@Domain

cn
name
setspn -X
Modifiers:
Switches:
Usage: setspn -X
No such SPN found.
HOST/MYMACHINE
Existing SPN found!

0 Comment
authentication
a Domain
Windows Server 2012 Active Directory Trust

Relationship Problem
0 Comment
You use to get the error message The security Database on the server does not have a computer
account for this workstation trust relationship. or shows Login ID or password incorrect while the
time of logon on Windows Server 2012 R2, most recommended solution is re-join toActive
Directory Domains or rebuild the server to fix the issue, before doing re-join/rebuild just make sure all
the configuration like SPN (ServicePrincipalName), UPN (UserPrincipalName) are correctly
configured, will discuss in detail with steps
Also Read: How to troubleshoot workstation Trust relationship issues on Domain
Will get the error like below while the time of Domain Login
How to check UserPrincipalName and DNSHostName
Go To Run
Type ADSIEDIT.msc
Browse to the computer object
Click Properties
Check the UserPrincipalName and DNSHostName Value
UserPrincipalName should be computername@Domainname(computer1@windowstricks.in)
DNSHostName should be computername.domainname (computer1.windowstricks.in)
Also Read: Domain Account unable to log-in with cached credentials on Windows 10
How to check the ServicePrincipalName
Open CMD
Type below command setspn l computername (setspn l computer1)
You should get below result
HOST/computer1
HOST/computer1.windowstricks.in
Also Read: Shortcut Keys for Windows server 2012 and 2012 R2
If the affected servers are on VM

Check the Time and time sync issue on affected servers, If servers are hosted on VMs then disable
time sync on vmware, so that all client will sync their time from domain PDC, check my previous
article Can my hyper-v server be a Windows Time Server?
Also Read: Differences between Windows Server 2012 R2 Hyper-V and Hyper-V Server 2012 R2
Also Try this
Issue may be with NETBIOS Name on Domain name, try to rejoin back to Domain using NETBIOS
Nam(domain), unlike the Domain FQDN (domain.com) while joining the affected server to Domain
If any of above solution fixing the issue, re-join the affected server back to Domain and also try to
rebuild the server to fix the issue
Also Read: Active Directory Features in Windows Server 2012
Why PowerShell remoting cant be enabled

on a Windows server 2008
By ganesamoorthy s | September 27, 2015
0 Comment
By default PSRemoting is disabled in Windows server 2008, is there any reason why PowerShell
remoting cant be enabled on the Windows server 2008 box? And of course we can enable manually
through multiple ways, any security risks/issues on Windows server
To address about risks/issues of enabling it, there might actually be none. The question is why did
Microsoft have it disabled as default in Windows Server 2008 but enabled in 2012? Usually there are
three reasons why the default behaviour of a service/feature/role changes between OS releases,
surprisingly didnt find any info on public domain
Also Read: Enable Powershell Remoting on Windows server 2008 R2 and 2012
Some of my understanding why PowerShell remoting cant be enabled on a Windows server

2008
The opposite of feature deprecation: Usually something they want to drop becomes disabled by
default to preserve for next release, so the opposite is; sometimes new features are added (but have
to be switched on by default) and then the product group make it default enabled in next release
Change in security posture: So the default was to lock everything down as before it was all about
reducing the attack surface area (so you live under a rock in a cave and cant do anything) but then
because of improvements in securing the underlying OS / better understanding that there was no
real problem, then things can become enabled by default
Feature Adoption: There was a big drive in Windows Server 2012 to make sure features were
readily available/enabled and decouple them from any dependencies, like other OS
interoperability/convoluted pre-requested, as customers would then be less likely to adopt
features and mistakes in implementation
Also Read: Windows 10 compatibility with Windows Server 2003
Conclusion:
Indeed if youre opening up ports or enabling services then there could be a valid reason for why
thats not acceptable in some environments, someone with administrative access can remotely own
your box, Id be much more concerned that in the first place someone already has
administrative/privileged credentials and there are many more ways to hose up a box over the wire
than worry about just one more way to connect.
Also Read: Active Directory on Cloud
Enable Powershell Remoting on Windows

server 2008 R2 and 2012
0 Comment
Powershell Remoting is very impressive feature from Windows server 2008 R2 / Powershell 2.0, it
allows to run any PowerShell commands or access full PowerShell sessions on remote Server unlike
the older native commands that run on the same server where the command been executed , so its
powerful and easy to run a function from multiple system with less amount of time
What changes from native command execution?
PowerShell command is executed on the client

Same PowerShell command is transmitted to the server
Server executes the PowerShell command and then returns the output to the client
Client displays or uses the returned output
How to Enable Powershell Remoting on Windows server 2008, Windows 7 and other systems
By default Powershell Remoting is disabled on Windows server 2008 R2 and need to enable by
running an enable-psremoting command on individual servers, we have others option to Enable
Powershell Remoting on multiple servers remotely, methods are
Enable Powershell Remoting with PSEXEC (Remotely)
We can open psexec from CMD and connect each server and run enable-psremoting -force or run
below command with different server name
psexec \\[Server name] -u [User name] -p [password] -h -d powershell.exe enable-psremoting

-force
Please replace \\[Server name] with an IP address, or even @C:\[path]\serverlist.txt to

automatically enable psRemoting on a big list of computers on your environment
Enable Powershell Remoting with schedule task
We have to create the batch file or ps1 file with enable-psremoting force command and created a
schedule task using the schtasks command pointing to created patch file or ps1 file
Scheduled a task to run the script (batch file or ps1 file) and enable the Powershell Remoting
Enable Powershell Remoting with Server Manager
Open Server Manager

On Server Manager home page, click Configure Server Manager Remote Management.
Next,
Select Enable Remote Management of This Server from Other Computers.
Ok
Enable Powershell Remoting via Group Policy

Create a new GPO, or edit an existing GPO
Browse to: Policies > Administrative Templates > Windows Components > Windows Remote
Management (WinRM) > WinRM Service
Open the Allow Automatic Configuration of Listeners Policy, select Enabled, and then define
the IPv4 filter and IPv6 filter as *(Server 2008 and earlier).
Open the Allow Remote Server management through WinRM Policy, select Enabled, and
then define the IPv4 filter and IPv6 filter as *(Server 2008 R2 and later).
Click OK.
For Firewall Rules
Browse to: Computer Configuration> Policies> Windows Settings> Security Settings>

Windows Firewall with Advanced Security> Windows Firewall with Advanced Security> and
then Inbound Rules.
Right-click Inbound Rules, and then click New Rule.
In the New Inbound Rule Wizard, on the Rule Type page, select Predefined.
On the Predefined pull-down menu, select Remote Event Log Management. Click Next.
On the Predefined Rules page, click Next to accept the new rules.
On the Action page, select Allow the Connection, and then click Finish. Allow the Connection
is the default selection.
Repeat above steps to create inbound rules for the Remote Service Management
and Windows Firewall Remote Management
If you are using Windows server 2012 then no need to do any of above configuration to
enable powershell remoting, Yes its enabled by default, start using the feature without any extra
effort
Monitor NTLM authentication delays and

issues on Windows 2008 and 2012
0 Comment
Events to track authentication delays and issues: Finally we have new event log entries that can
track NTLM authentication delays and issues in Windows Server 2008 R2, in a complex environment
with multiple Forests and multiple Domains NTLM authentication request will be more and its difficult
to monitor and track the Bottlenecks
intermittently and experience time-outs when you connect to Authenticated Services
Install http://support.microsoft.com/kb/2654097 to enable event log entries that track NTLM

authentication delays and failures
After installing the above hotfix, EventLogPeriodicity and WarningEventThreshold registry entries
needs to be configured as per your requirement
Event ID: 5816 to Event ID: 5819 has been logged for if any error or warning condition is met
Some of the issues in application end for NTLM authentication delays
Web Services and Web Proxy:
Web clients are frequently prompted for credentials

Web clients receive delayed responses from the web server.
Exchange client:
Outlook receives delayed responses from the server.

Outlook is frequently prompted for credentials
Some of known issues for high authentication flow and authentication delays
There are highly transactional and heavily used application services in the environment.
There is heavy use of scripts that use the NTLM authentication through WINNT provider
Not properly configured applications and services to use Kerberos authentication (SPN
Configuration to use only Kerberos)
Bottleneck:
Mostly occurs when a high volume of NTLM authentication or Kerberos PAC validation transactions
occur on an application server, and that volume is greater than the volume that can be handled at
one time by the application server or the domain controllers that are providing authentication.
Also Read: Troubleshoot Active Directory Server Replication
Solution:
For applications and services that are using NTLM, just configure them to use Kerberos
authentication only.
Default Maxconcurrentapi Value:
Workstations One of the threads available for use
Member servers Two of the threads available for use
Domain controllers One available thread per security channel to trusted domains
Configure MaxConcurrentApi :
Have a calculation to decide what value to set for the MaxConcurrentApi setting in your
environment to resolve the issue, refer https://support.microsoft.com/en-us/kb/2688798
Shortcut Keys for Windows server 2012 and

2012 R2
0 Comment
If you new to Windows server 2012 and 2012 R2 you might find difficulty to run some of the essential
tasks like, Run, CMD, and even to shut down and logoff the server, how do we do a basic server
administration work on Windows server 2012? Even administrative tool are removed, unable to see
run, CMD and start menu in Windows server 2012, ohh no then how to get the administrative
tool? they are all missing and we have a way to find this
Windows server 2012 comes with a new GUI which hides the most essential buttons and tools like
Start menu, Run, Command prompt, shutdown, Restart, logoff and many more, just want
share Shortcut Keys for Windows server 2012 to make life easier
Start screen Windows Key
Charms bar Windows Key + C

Run Windows Key + R
CMD Windows Key + R CMD
Command Prompt with Admin access Windows Key + X + A
Start Menu Windows Key + X

Shutdown- Ctl+Alt+Del, select Power button in the lower right corner
Logoff/lock/Task Manager Ctl+Alt+Del
Control Panel Windows Key + X + P
Task Manager Windows Key + X + T
Computer Management Windows Key + X + G
Divice Manager Windows Key + X + M
Event Viewer Windows Key + X + V
Disk Management Windows Key + X + K
Windows Explorer Windows Key + X + E
Search Windows Key + X + S
System Windows Key + X + Y
Programs and Features Windows Key + X + F
Powershell Windows Key Powershell
Administrative Tools
Administrative tool replaced with Server Manager, Microsoft has been strongly pushing to use the
Server Manager and its now full-featured, All this tools are available on Server Managers Tools
menu
Windows server 2012 co-existence and
migrate/upgrade scenarios
1 Comment
Is windows server 2012 R2 can co-existence with windows server 2003? Can I do in-place upgrade
from windows server 2003 or windows server 2008? Which is supported and which is not supported
Do you want to know the answer for all these questions then you are on right page, will discuss more
about supported upgrade scenarios
Not supported
In-place upgrade from windows Server 2003 and from 32-bit system and from Server Core Edition
are not supported
Windows 2000 Domain Controllers are not supported
Windows NT Domain Controllers are not supported
Supported
Add a new Windows Sevrer 2012 DC in a Windows Server 2003 Forest/Domain
Add a new Windows Server 2012 DC in a Windows Server 2008/2008 R2 Forest/Domain
Supported Upgrade Scenarios
Windows Server 2008 Standard Sp2 or Windows Server 2008 enterprise Sp2 can be upgrade to
Windows Server 2012 Standard or Windows Server 2012 Datacentre
Windows Server 2008 Datacentre SP2 can be upgrade to Windows Server 2012 Datacentre
Windows Web Server 2008 can be upgrade to Windows Server 2012 Standard
Prerequisites
Domain Functional Level should be at least Windows 2003 mode. This is the minimum required
Domain Functional Level that would allow Windows Server 2012 Domain Controller installation.
Windows NT / 2000 DCs are not supported
Need to raise a Domain Functional Level to Windows 2003 mode, for that older DCs like Windows
NT and Windows 2000 needs to be removed / decommissioned.
Supported and Not Supported Trust
Anyway Forest Trust not supported on Windows NT / 2000 DCs, an external trusts can be configure
to connect to Windows 2000 Server and Windows NT 4 domains
Note: From Windows Server 2008 onwards legacy cryptography algorithms not supported for
secure channel communications, hence external trusts cant be established Windows NT 4.0 with a
Windows Server 2008, or higher, domain controller, this can be rectified through simple registry
change however not recommended
Hope this will help you to understand the requirement and prerequisites to Install Windows Server
2012 to your existing environment, what can be possible and what cant be possible with your current
Domain configuration
Difference between windows server 2012

and R2
0 Comment
Windows server 2012 R2 brings many new features and enhancements to windows server world
compared to older version windows server 2012, will discuss major difference between windows
server 2012 and windows server 2012 R2 and some of the very innovative Windows Server 2012 R2
Features and improvements, also see Windows Server 2012 Fetures and Difference between
windows server 2008 and windows server 2012
Windows Server 2012 Schema version is 56 and Windows Server 2012 R2 is 69, schema will be
updated while doing Forest preparation/installing Windows Server 2012 R2
Active Directory comes first when I think about windows server, will start with Active Directory new
features on Windows Server 2012 R2
Active Directory has been enhanced with the following
Join the Workplace (Workplace Join)
SSO Support (Single Sign-On)
Connect from Anywhere with Web Application Proxy
Multi-Factor Access Control (Anywhere-and-on-Any-Device)
Workplace Join
Workplace Join is allows user to connect/join their personal devices with their companys workplace
network and computers to access resources and services, yes now we can connect our personal
device like mobile phone/tablets and other device(Windows 8.1, iOS 6.0 +, and Android 4.0 +
devices can be joined by using Workplace Join)
Its not like a Domain Joining, when a device is joined to your workplace, it becomes a known device
and provides seamless second factor authentication through Single Sign On to access the workplace
resources and applications.
Workplace Join through the Device Registration Service, Device Registration Service (DRS) is part
of the Active Directory Federation, creates a device object in Active Directory, and tracks the
associated devices certificate in order to represent the devices identity.
SSO Support (Single Sign-On)
Effectively using Single Sign-On (SSO), user no needs to provide their user name and password
while accessing the different application event the outside the office network, again this uses the
Device Registration Service and Active Directory Federation roles allows claims-based
authentication to occur based on trusted certificates
Web Application Proxy
Remote Access role service is replaced by web application proxy in Windows Server 2012 R2, this
will provide access to a sample web application by using claims-based authentication using Active
Directory Federation authentication
Company application can be accessed anywhere with the help of Web Application Proxy in a
secured way
Multi-Factor Authentication
Multi-Factor Authentication is nothing but the authenticating user and the device used by the user,
user and user personal device joined through Workplace Join are authenticated
New DNS Features on windows server 2012 R2
DNS Logging and Diagnostics
Unlike the older windows versions, enabling DNS logging will not degrading the server performance
through enhanced DNS logging and diagnostics feature, this will provides extremely detailed data
about all DNS related information that is sent & received by the DNS server, similar to the data that
can be gathered using network packet capture tools such as Netmon, this included the DNS Audit
events and DNS Analytic events very helpful for troubleshooting
New Group Policy Features in Windows Server 2012 R2
Policy Caching
Policy Caching is newly introduced In Windows Server 2012 R2, when Group Policy gets updated,
client gets the latest version of a policy from the domain controller, and writes the policy to a local
store. Next time the computer restarted, it reads the most recently version of the policy from the local
store, instead of downloading it from the domain controller. This reduces the time it takes to update
the policy. Most important the boot time is reduced in synchronous mode
New DHCP Features in Windows Server 2012 R2
DNS PTR registration options
Now you can configure the DHCP scope to r register only address (A) resource records of DHCP
clients with the DNS server. This can be helpful when a reverse lookup zone has not been
configured on your DNS server and that causing attempts to register pointer (PTR) resource records
to fail.
And most important, PowerShell commands will be available for DHCP servers
Also Windows PowerShell for Certificate Services and Many new Features in Remote Desktop
Services in Windows Server 2012 R2
Other than the Active Directory Features on windows server 2012 R2
Work Folders
You can store and access work files on your personal computers and personal device, similar to
Dropbox, this role only available on Windows Server 2012 R2, its like an offline file with your
personal device and it get replicated to company network, Access your office files while offline from
personal device, and then sync with the central file server when the PC or device next has Internet or
intranet connectivity, see Microsoft page
Windows PowerShell Desired State Configuration
Its cool new features from Windows Server 2012 R2, to replace the Group policy (GPO)
Yes, its similar to Group policy, enables deploying and managing configuration data like registry
settings, Enabling or disabling server roles and features, Managing files and directories, Starting,
stopping, and managing processes and services, Managing groups and user accounts, Deploying
new software, Managing environment variables, Running Windows PowerShell scripts and
Discovering the actual configuration state, see Microsoft page
Storage Tiering
If you are a storage admin then you know Storage Tiering, yes its been there for long time and now
this feature available on Windows Server 2012 R2 operating system, this is the first time available at
the operating system level. Microsoft uses a heat-map algorithm to determine which chunks of data
are seeing the most activity and automatically moves the hottest data to the fastest disk. You can
adjust the settings using PowerShell.
RRAS Multitenant Gateway
Now you can deploy RRAS as a virtual machine (VM)-based software gateway and router that allows
Cloud Service Providers (CSPs) and Enterprises to enable datacentre and cloud network traffic
routing between virtual and physical networks
Each site-to-site network connection require a separate gateway in Windows Server 2012, this is
impacting both cost and ease of implementation when more than a few connections are required for
a single application. Windows Server 2012 R2 does away with this limitation, this can reduce their
capital expenditure and operation expenditure
Windows Server Essentials role
Windows Server 2012 R2 Essentials vision is bundled all the required features for small businesses
with up to 25 users and 50 devices, when you install the Windows Server Essentials Experience role
on other Windows server version, you can take advantage of all the features that are available to you
in Windows Server 2012 R2 Essentials without the locks and limits enforced in it.
And many more new features like, De-duplication on running VMs, Parallel rebuild and shared virtual
hard disk in Hyper-V for Windows Server 2012 R2, also see Windows Server 2012 Fetures
Active Directory Features in Windows Server

2012
By mail2spi2014 | March 3, 2013
2 Comments
Active Directory 2012 features on Windows Server 2012 and R2: I am going to discuss about
Windows Server 2012 Active Directory feature, as per my understanding newer version has not have
many new features however Microsoft has improved the features of Active Directory 2008 in Active
Directory 2012 List of improvement compare to the earlier version Active Directory 2008, also
check Difference between windows server 2012 and R2
Active Directory 2012 features
Virtualization
Virtualization and cloud computing is the emerging technology in an IT infrastructure over the past
few year, I personally never thought of having virtual Active directory environment, if you are
restoring AD database from snapshot image it wont reset the Invocation ID it will lead to database
version mismatch with other Domain controllers and stop replicationSupport virtual snapshot, Active
Directory 2012 Virtualization feature correctly resets the Invocation ID if snapshot is applied or a VM
copied using the VM generation ID
Support virtual clone, we can clone existing virtual domain controllers without any issue and this will
reduces the number of steps and time involved by eliminating repetitive deployment tasks
Simplifies Active Directory Upgrades and Deployments
Dcpromo not available in Active Directory 2012! Yes Active Directory Domain Services Installation
Wizard is relocated in Server Manager is replaced the Dcpromo command
Forest preparation and domain preparation happens automatically (Forestprep and ADprep) while
doing Server 2012 DC installation, still if you wish you can do manually using commands Adprep,
/forestprep, /domainprep and /rodcprep
Seems to be a simple and easy procedure, of course you will require a good planning and in-depth
understanding about the procedure while doing domain upgrade
Dynamic Access Control
Native access control require a user or a group needs to be add to file/folder NTFS permission to get
an access, in windows 2012 claims-based authorization is its not replaced the existing model
however if added new features to an existing system
If the user department is accounts in Active directory, user able to access the accounts related datas
from file servers using Dynamic Access Control feature
Customised audit policies
You can fine-tune the audit policies as per your requirement, not only monitor the file access success
or failure but also what actions were carried out or attempted on the file, like read, write, delete,
change file permissions and so on. You can narrow down the scope of the file auditing to specific
users or groups of users, using configure the Global Object Access Auditing policy within a GPO
Event logs
If you enable auditing for multiple items and configuring the customised audit policies, then security
logs will grow faster, by default the log will overwrite old events when it runs out of space, most
organisations uses the third party application to backup the event logs and store it to centralized
repository, in windows 2012 you can select the option Archive the log when full, do not overwrite
events so you can examine the old logs and of course you require a enough disk space to store the
logs
Offline Domain Join
Offline Domain Join is improved in Windows Server 2012 AD DS, over the internet we can join the
computer to domain if the domain is DirectAccess enabled
Active Directory Federation Services (AD FS)
Adding ADFS no longer requires a separate installation. ADFS also gains multiple improvements.
Windows PowerShell
Windows PowerShell History Viewer: You will have a ready made command for what action you
did in Active Directory Administrative Centre, like if you create a user or add user to group you have
command to do the same, this can minimize the learning investment and you can automate the
activity very easily
Windows PowerShell Cmdlets for Active Directory Replication and Topology: Am expecting
this for a long time, yes we have a PowerShell commands for repadmin, ntdsutil and Active Directory
Sites and Services, troubleshoot replication and Create and manage sites, site-links, site-link
bridges, subnets and connections using new available Cmdlets
Active Directory Recycle Bin
We can recover deleted object with in graphical user interface through Active Directory
Administrative Centr (ADAC), this will reduce the recovery time and simplified the complex procedure
Kerberos Constrained Delegation across Domains (KCD)
KCD was first introduced in Windows Server 2003 to permits a services account (front-end) to act on
behalf of users in the applications to access back-end services, like web server (front-end) access
the database server (back-end) by the user, this only works for back-end services in the same
domain as the front-end service-accounts.
The KCD in Windows Server 2012 Supports across-domain, across-forest scenarios, its very
demanding feature and reduce the pass through authentication load (if you have multi domain and
multi forest this will be your future)
Flexible Authentication Secure Tunneling (FAST)
More secure Kerberos in Windows Server 2012 through Flexible Authentication Secure tunneling, it
provides a protected channel between a domain-joined client and DC
Active Directory-Based Activation (ADBA)
This will eliminates the need for Key Management Service (KMS) servers, No additional machines
required and No RPC requirement Active Directory-based activation uses LDAP exclusively
AD FS (v2.1) ships in-the-box as a server role in Windows Server 2012 and is able to populate
SAML tokens with user- and device-claims taken directly from the Kerberos ticket
And RID improvements, index creation improvements and many more..
More on Active Directory 2012 features, see Micrsoft page page
ACTIVE DIRECTORY TOOLS
DNS Lookup Tool with GUI

0 Comment
Free Nslookup Tool for Windows with GUI interface
Its a normal Windows Nslookup tool, command line windows Nslookup tool been converted to user
friendly GUI tool, this tool used to check the DNS entry and it has many customized features
Features of DNS Lookup Tool
You can check the different record types (A, MX, NS, SOA, PTR, and SRV)
You can enable the Debugging mode for better DNS troubleshooting
You can change the DNS Query Type (Recurse, Iterative (non-recursive))
Also you can able to specify the server from where you want to query the DNS entry (By default its
a primary DNS server from the network card configuration)
Easy to use and user friendly, no installation required you can directly run the tool.
DNS Lookup Tool
Nslookup tool query the A record

Nslookup tool query the MX record
Output of Nslookup tool query with Debugging mode Enabled
Download Nslookup Tool
For more info on NSLOOKUP and DNS troubleshooting
String to GUID Converter

By mail2spi2014 | May 30, 2011
0 Comment
Using Online String to GUID Converter Tool, you can convert a string formatted GUID to
hexadecimal string format and vice versa (hexadecimal formatted GUID to string format)
If you extract the Active Directory object GUID from Domain Controller using ADSIEDIT you will get
the hexadecimal formatted GUID and you have to convert this Hex format GUID to Normal usable
string format because most of the windows commands and scripts require a string format GUID.
No need to download and install, its a online tool and can be used directly on our website, just click
here Online String to GUID converter Tool
Online Subnet Calculator

0 Comment
Its a simple online IP Subnet Calculator, using this Subnet Calc you can calculate, Mask Bits, Start
IP, End IP, Address Range, Subnet ID, Broadcast Address.
And this can be used to find the Subnet Mask for the given Mask Bit or find the Mask Bit for the given
Subnet Mask.
No need to download and install, its a online tool and can be used directly on our website, just Click
Here
Incoming search terms: subnet a subnet, subnet masks, subnet masking, subnet netmask, subnet
255, subnet and subnet mask , calculadora subnetting, subnet calculate, subnett calculator, subnet
calcu, subnet calculation, subnets calculator, subnet calculators, subnet calculator, calculator subnet,
calc ip, ip subnets, ip subnet, ip to subnet, ip and subnet, ip calculator, calculator ip, netmask,
subnetting a subnet, subnet address, ip calc, ip subnet calculater, ipcalc,ip subnet calculation, ip
subnet calculator, ip calculator subnet, subnet ip calculator
Online Windows Timestamp Converter

0 Comment
Online Tool to Convert Windows Timestamp to readable format
If you extract the Lastlogon and Lastlogontimestamp attribute value from CSVDE tool or ADSIEDIT,
attribute value would not be readable format and you cant understand the format, you can use this
Online Tool to convert Timestamp to readable format
No need to download and install, its a online tool and can be used directly on our website, just click
here
Our Previous Article Related to lastlogon
In Excel itself you can Convert lastlogon and lastlogontimestamp
How to extract lastlogontime in CSVDE
DNS Management Tool

0 Comment
Using DNS Management tool you can check, create and delete DNS entry in Windows DNS server, it
seems to be simple however in a large environment its not that simple, lets say if you have multiple
zones and every zone have huge DNS entrys then its very difficult to check, create and delete the
DNS entry
When you open the DNS console all the zones in that server will get loaded and you have to select
the zone than all the entrys in that zone will get loaded, it will be time consuming process then you
have to filtered out to delete the corresponding entry
While creating the DNS entry you have to manually type the IP address, you cant copy and
paste, this may lead to typo error and you will created the DNS entry with wrong IP address, by
using this tool you can avoid this and increase your productivity
And this can be done in a second, you can also check if the DNS entries are available before
deletion or creation the DNS entry
If you have multiple requests and you have to do this one by one, then this tool perfectly match your
requirement
Follow the below procedure to Manage DNS record in Windows DNS server
1. Enter Record Name

2. Record name should be FQDN(fully qualified name) like Server001.eur.windowstricks.in
3. Enter IP Address
4. If require you can copy and past the host name and IP address
5. If you want to create DNS record then Click Create button
6. This will create the DNS entry to the corresponding zone in the DNS server
7. You will get the result, if any issue to creating the record, then you will get the error message
8. If you want to check DNS record then Click check button
9. You can also Delete the DNS entry by clicking the Delete button
Check the Existing DNS Record:
Deleting the Existing DNS Record:

Checking the DNS Record:
Creating the DNS Record:

Requirement
This tool should be run from the DNS servers where you want to manage the DNS entries
And you should have DNSCMD tool installed and DNS admin rights.
Download
For bulk DNS record creation and deletion
DNS Record Creation Tool

By mail2spi2014 | February 3, 2011
1 Comment
Free Tool to create DNS entry
Using this tool you can create DNS entry, no need to open a DNS management console you can just
open the DNS Record Creation Tool and copy past the DNS record name and IP address and select
the create button this will create both forward and reverse entries
Creating DNS entry seems like simple and why we require a tool to do this? To create a single DNS
entry you have to open a DNS management console and go to the Forward Lookup Zones, select
the zone from where you want to create the DNS record, then right click the zone and select add
new host, When you open the DNS console all the zones in that server will get loaded and you have
to select the zone than all the entrys in that zone will get loaded, it will be time consuming process
While creating the DNS entry you have to manually type the IP address, you cant copy and
paste, this may lead to typo error and you will created the DNS entry with wrong IP address, by
using this tool you can avoid this and increase your productivity
Download
Requirement
This tool should be run from the DNS servers where you want to manage the DNS entries
And you should have the DNS admin rights
Other Free Tools
Tool to Find subnet conflict
Tool to Search AD Object using the Attribute value
Get IP Info
Our products List
Search AD Object using the Attribute value

0 Comment
Active Directory tool to search the Active Directory using attribute value, you can use this tool to find
the attribute value for the given object and attribute
This tool is very useful to search a particular attribute value for any object in Active Directory, input
for this tool is any known attribute and the attribute value ( in above example I have used CN attribute
and corresponding value) and you can get the output of any require attribute.
Beauty of this product is you can use the Wild cards, like list all the users that stars with DE
( CN=DE* is the input)
Also you can use this tool to search the Configuration partition, search the site, site link and subnet,
in above example we are getting the site name of the server using the server name
You can use this simple tool for your requirement, this tool will do customized search on Active
Directory, I have used this tool to search the site link for the site, search the connection object for the
server, search the site for the server
From Domain Partition, some time you know the attribute name and the value and you want to list all
object that have the same value for the attribute that scenario you can use this Search AD Object
using the Attribute value tool.
And also use this tool to find the duplicate entries in Active Directory, if many object attribute have
the same value and this should be unique, like this you can use this tool in your own requirement.
Download
Other Free Tools
Get IP Info
Our products List
Get IP Info
0 Comment
Active Directory tool to find site name, subnet and other information for given IP addresses
If you are troubleshooting the system issues, like logon issue and DFS issue you have to check the
system IP address and from which site this IP address belong to and from which subnet this IP
belongs to, if that site have a Domain controller and if this subnet have DNS ReversZone and DNS
Revers entry
In a large Active Directory environment its very difficult to check this manually, if the subnet
associate to the IP not configured, then client will have a logon problems, if the DNS ReversZone
missing then Dynamic registration will have a issue so better we have to check all this before
troubleshoot the issue, this tool will also very useful to understand the issue
This tool will provide the Site Name, subnet, Number of Address, DCs in this Site, DNS ReversZone
Name, DNS ReversZone, and PTR Record pointing to
Other Free Tools
Tool to Search AD Object using the Attribute value
Our products List
Free tool to Find subnet conflict in Active

directory
By mail2spi2014 | November 4, 2009
0 Comment
Free tool to Find subnet conflict in Active directory
If you ever think that you require a tool to find the subnet in Active Directory and find the subnet
conflict also, here is the tool and its Free!
Before add the subnet in to AD it needs to be checked for subnet conflict to make the environment
clean and also reduce the login errors (due to subnet conflict)
Other Free Tools
Search AD Object using the Attribute value
Get IP Info
Our products List


Account lockout
Windows DNS Scavenging Interview

Questions and Answers
What is DNS Scavenging?
DNS Scavenging is to cleanup and removal of stale DNS records, like housekeeping activity to
delete unwanted or unused DNS entries in DNS server/zone, it only cleanup the dynamic DNS
record not the record created manually
What is Dynamic DNS record?
The record created dynamically by client/server on DNS zone, automatically added to zones when
computers start on the network
How to force the DNS Dynamic Update?

Simple way is restart the system which trigger the DNS Dynamic Update, we can user the below
command to force DNS Dynamic Update
Ipconfig /registerdns
You can also restart the netlogon service on service.msc
If DNS Dynamic updates not working what are the checks needs to do?
Check the primary DNS configuration on the system, Primary DNS server should be reachable from
client in order to register DNS record
Register this connections addresses in DNS should be selected on network card properties (advance
options where you configure the IP Address)
Also Check the DHCP configuration if the managed through DHCP
Also Read: Active Directory (AD) Real Time Interview Questions and Answers
What are Prerequisites to do the DNS scavenging?
Scavenging must be enabled on DNS server and on the zone you want to scavenging
DNS records must be dynamically added to zones or you can manually modified the timestamp
configuration
What is Scavenging Period?

Default value for Scavenging is seven days (the minimum allowed value for this is one hour)
scavenging time on DNS zone is the server to determine when a zone becomes available for
scavenging
So 7 + 7, every 14 days
When the Record refreshes happen? (Dynamic updates of record)
Every DNS record time stamp been updated While the time of computer restart
A periodic refresh is sent by the computer every 24 hours
Network services make refresh attempts, like DHCP servers, which renew client address, cluster
servers, which register and update records for a cluster, and the Net Logon service, which can
register and update resource records that are used by AD domain controllers
So that the record not taken as a stale DNS record
What is Scavenging servers?
Is DNS Scavenging configured in all Domain Controllers?
Not all DNS servers are Scavenging servers, you can configure/promote DNS server to Scavenging
servers
Zone parameter on advanced settings that enables you to specify a restricted list of IP addresses for
DNS servers that are enabled to perform scavenging
Also Read: Sysvol Interview Questions and Answers
AD Slow Authentication and prompting for

credentials again and again
0 Comment
AD Slow Authentication and prompting for credentials again and again (Active directory
Troubleshooting Part 2)
Its a most common issue in a complicated Active Directory environment, before am going to discuss
about the authentication issues, I would like to discuss about the Active Directory basics like Pass
through authentication, AD secure channel, NTLM and Kerberos
Pass through authentication

If you are worked on multi Domain/Forest environment or environment designed with user forest and
resource forest, an Exchange Server resource forest topology has two forests. One forest contains
the all the user accounts for your organization. This forest is called the user forest (accounts forest).
The other forest does not contain any user accounts. It only contains the Exchange Server and
disabled user accounts, in simple you have one Active Directory forest where your user accounts live
and another Active Directory forest where your application are lives (Exchange server, File server)
In the above scenario Domain controller receiving the request from Exchange/file server to verify the
user access, this must pass the request to Domain controller in the user forest, we should have the
trust between domain of the server (called the resource domain/forest) and the domain of the user
account (called the account domain/forest)
User from Domain A try to access application on server from Domain B, application server in
Domain B doesnt have user detail, it will check the local Domain controller on Domain B through
workstation secure channel, and Domain controller on Domain B check the Domain controller on
Domain A through trusted domain secure channel and Domain A return back the authentication to
Domain B its called the pass through authentication since the user authentication request been
passed to user domain.
Secure Channel
I have discussed about the secure channel, what is secure channel? Its a communication channel
provides more secure communication path between the domain controller and the workstations or
member servers. It can also be used to retrieve domain-specific information, handling NTLM
authentication pass-through to the domain controller or from DC to DC for the same.
Two Forest or Domain connected through Forest trust / Domain trust, trust establishment is a shared
secret (called a trust password) that domain controller use in the two domains for computing the
session key that is used for protecting the secure channel traffic. By using this secure channel, the
DC in the resource domain can pass logon requests securely to the DC in the account domain, in the
same way that the server passed the logon request to the former DC. The secure channel between
DCs in two domains that are connected via a trust relationship is called a trusted domain secure
channel. In contrast, the secure channel between the member server and the DC in the resource
domain is called a workstation secure channel
While adding a computer to domain, computer account has been created in Activity directory and
password been generated for computer account, computer account password been changed every
30 days and stored in computer and domain controller, while power on the computer, Netlogon
service on computer use the computer account password from the computer is authenticated against
the password on the Domain Controller and establishes a secure channel with that DC, same way
server creates a secure channel with that DC it get authenticated
For Domain controller, Netlogon service sets up secure channels with all the trusted domains (one
Domain controller in each trusted domains) you can check this using Nltest command
To check the current secure channel with a particular Domain
nltest /sc_query:Domain Name
To reset secure channel to different Domain Controller (this will randomly select the Domain
Controller)
nltest /SC_RESET: Domain Name
To reset secure channel to a particular Domain Controller
nltest /SC_RESET: Domain Name Domain Controller Name
You can change the Domain and Domain Controller Name as per your requirement
For remote server you can add
/server: server name
NTLM and Kerberos
NTLM and Kerberos are the protocols used for authentication, we all know NTLM is outdated and
Kerberos is the new protocols used for authentication, Kerberos can impersonate a user when
trusted, so no need to contact Domain controller every time in order to authenticate access to a
resource, If the client is logged on to a domain, the browser never prompts the user for credentials; it
simply uses the users default logon credentials.
We are not using NTLM any more? No still some areas where we have to use NTLM for the sake of
compatibility, RPC over HTTP to connect to an Exchange mailbox. ISA for web proxy servers, lets
go in deep how its works
Client opens a URL through browser

Client browser sent a request to proxy server with integrated authentication credentials
The proxy server needs to verify the user credentials, by sending the authentication request
to the domain controller is has a secure channel
That domain controller responds to the proxy server
The proxy server answers the client with the requested internet page
Seems to be simple however for each web connection from a client, the proxy server needs to verify
the user credentials by sending authentication request to the DC, this will increase the high volume
of NTLM authentication
Think the similar scenario in multi Domain/Forest environment, user in one Forest and proxy server
in other Forest, this will increase the NTLM Pass through authentication traffic
NTLM authentication handled by Netlogon service, passing NTLM authentication requests to a

domain controller that can handle them, and receiving them on that domain controller to be handled,
you can enable debug logging for the Net Logon service to see what happen on the proxy server /
domain controller, like which user getting authenticated to which domain controller
We have number of threads which will authentication request, like number of concurrent NTLM
authentications processed by the server, the defaults are typically 1 for this, meaning that there is
one thread to hand off, receive and process these requests, we can re-configure this through
MaxConcurrentApi
The MaxConcurrentApi thread can only deal with one authentication at a time, in normal scenario it
is very quick. So the high volume of authentication transactions must be handled by one or two
threads (by default) and this will be a bottleneck, which resulting the delay and the authentication
request have to wait longer than a remote client can tolerate
Due to this delay, client browser would ask for a credential prompt rather than the web page he want
to open, so this might be the issue for slow Authentication and prompted for credentials again and
again
We can resolve this by increasing the MaxConcurrentApi value on proxy server, if its a multi
Domain/Forest environment, then we needs to increase the MaxConcurrentApi value on resource
forest Domain Controller, it depends on the configuration
First we have to understand current issue

Enable the Netlogon logs on proxy server and Domain Controller authenticating proxy server
or the proxy server secure channeled Domain Controller
Analysis the log for authentication failure and delay
We can monitor the current secure channel traffic through the perfmon by adding the
counters, Semaphore Waiters, Semaphore Holders, Semaphore Acquires, Semaphore
Timeouts, Average Semaphore Hold Time
Logon to Domain Controller authenticating proxy server
Open perfmon, add counters select Netlogon on performance object
And select Average Semaphore Hold Time
If you dont find the counters, need to install http://support.microsoft.com/kb/928576 hot fix,
This adds New performance counters for Windows Server 2003
If the Average Semaphore Hold Time is greater than normal, Average Semaphore Hold Time should
normally be very quick. Longer hold times mean that a potential bottleneck is occurring, it will delay
authentication process and the authentication request has to wait longer than a remote client can
tolerate, it will slowdown the authentication and prompted for credentials to re-initiate the
authentication process
To calculate MaxConcurrentApi for your environment
http://support.microsoft.com/kb/2688798
It depends on the outcome, you should add more servers to service the legacy authentication load or
increase the MaxConcurrentApi registry value
Warning rules:
Average Semaphore Hold Time > 0.2 should be a yellow warning.
Average Semaphore Hold Time > 0 should be a red warning.
Semaphore waiters > 1 should be a yellow warning.
Semaphore waiters > 4 should be a red warning.
Any Semaphore Timeouts is a red warning.
Conclusion:
Slow Authentication might be due to many issues, like client to DC connectivity, network, subnet and
site configuration, DNS SRV configuration, Profile, logon script and GPO, so you have to analysis
properly to find the root cause, this is the one of the scenarios which I have faced many times in a
complex environment, hope this will help you to understand the Active Directory Authentication and
troubleshooting procedures see you soon in an another article.
Active directory Troubleshooting (Part1 Diagnostics Logging)

0 Comment
authentication
a Domain
Windows 10 support knowledge base

articles
Collection of Windows 10 knowledge base articles
Windows 10 KB articles and Real Time problems with solution
How to Fix High RAM/CPU issue on Windows 10
How to change windows 10 icons (My Computer, Recycle Bin and windows explorer icon)
Troubleshooting Tips for Windows 10 Slowness Problems
Start Menu not function properly on Windows 10
Best Free Antivirus for Windows 10
Windows profile issues and fix
How to copy a full user profile to another user in Windows 10 After profile corrupt
How to Uninstall Windows 10
Windows 10 Keyboard Shortcuts Tricks and Tips
Windows 10 compatibility with Windows Server 2003
Convert Windows 10 Mobile Phone to Desktop Computer (PC)

Windows 10 Permission issue with Domain Admin
Microsoft Remote Desktop connection issue with Windows 10
Windows 10 sleep mode not working and unable to waking up from sleep mode
How to Get F8 Boot Menu and Safe Mode on Windows 10
Windows 10 cant connect to Internet and showing limited connectivity
Windows 10 Homegroup Problems and Solution
How to Get the Password and Setup Homegroup in Windows 10
How to Change Windows 10 Date and Time Format from 24 Hour to 12 Hour Clock
Domain Account unable to log-in with cached credentials on Windows 10
Are you searching where is my computer on windows 10 desktop
Can we fix all Windows 10 problems? Re-install Windows 10 without affecting current settings
Active Directory Interview Questions and Answers
Interview Questions Home

Active Directory Replication

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Active Directory Replication

Încărcat de

Drepturi de autor:

Formate disponibile

Active Directory (AD) Real Time Interview

Questions and Answers

Also Read: Windows Server Administrator Interview Questions and Answers

What is Active Directory?

What is Active Directory Domain Controller (DC)?

Active directory schema is Collection of object class and there attributes

Object Class = User

Attributes = first name, last name, email, and others

Can we restore a schema partition?

Tel me about the FSMO roles?

Domain Naming Master

How to check which server holds which role?

Which FSMO role is the most important? And why?

Res1.log and Res2.log

What RAID configuration can be used in Domain Controllers?

AD Interview Questions (Part 2)

What are all the Active Directory Partitions?

What is use Active Directory Partitions? And

DN location is CN=Schema,CN=Configuration,DC=Domainname, DC=com

How to configure Active Directory Partitions?

How to create DNS zone in Application Directory Partition?

see on my previous article

see on my previous article

How to take active directory backup?

Active Directory restores types?

How perform a non-authoritative restore?

Authoritative restore of Active Directory

How perform a non-authoritative restore?

What are Active Directory Partitions can be restored?

Sysvol Interview Questions and Answers

What is the SYSVOL folder and why its used?

What is NETLOGON folder?

What is junctions point?

Check more about: Sysvol Junction point

What other folders in Sysvol and Sysvol folder structure/ Contents?

Check more about: netlogon and sysvol folder location

How policies get replicated from one DC to other DC?

Check more about: how sysvol replication works

What is the Difference between FRS and DFS-R?

Check more about: Difference between FRS and DFSR

How to Force sysvol replication?

What is the Sysvol Replication change in Windows 2008?

Check more about: sysvol replication change on windows 2012

Any Sysvol issues which you have faced in your environment?

USN journal wrap Error on sysvol

Morphed folder on Sysvol

FRS replication issues

Tel me about Non-authoritative restore of SYSVOL or D2 restore

How to D2 and D4 restore?

Enable BurFlags registry to D2 or D4

More info from MS

Windows Group Policy Interview Questions

What are group policies?

What is Local GPOs/policy?

GPO Apply order

The local group policy object is applied first

What is No Override? Block Policy Inheritance?

Block Policy Inheritance:

See more on Loopback policy

Is group policy from Parent Domain cab be inherited to child Domain?

Group Policy Inheritance

Following are the rules regarding group policy inheritance:

If any policy is not configured, no inheritance takes place