0% found this document useful (0 votes)

738 views

Active Directory Replication

This document provides an overview of Active Directory (AD) and answers common interview questions about AD. It begins by defining AD as a Microsoft directory service used to centrally manage network resources like users, computers, printers and share information across multiple domain controllers. The document then answers questions about key AD concepts like domains, domain controllers, forests, partitions and the five FSMO roles. It also discusses AD replication, backups and restoring AD.

Uploaded by

Kundan Kadam

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

738 views

Active Directory Replication

Uploaded by

Kundan Kadam

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

You are on page 1/ 139

Active Directory (AD) Real Time Interview

Questions and Answers

I would like to share some of the Windows Active Directory Interview Questions and answers,
will start with basic questions and continue with L1, L2, L3 level questions

Also Read: Windows Server Administrator Interview Questions and Answers

What is Active Directory?

Active Directory (AD) is a directory service developed by Microsoft and used to store objects like
User, Computer, printer, Network information, It facilitate to manage your network effectively with
multiple Domain Controllers in different location with AD database, able to manage/change AD from
any Domain Controllers and this will be replicated to all other DCs, centralized Administration with
multiple geographical location and authenticates users and computers in a Windows domain

What is LDAP and how the LDAP been used on Active Directory(AD)?

http://www.windowstricks.in/ldap-and-ldap-query

What is Tree?

Tree is a hierarchical arrangement of windows Domain that share a contiguous name space

What is Domain?

Active Directory Domain Services is Microsofts Directory Server. It provides authentication and
authorization mechanisms as well as a framework within which other related services can be
deployed

What is Active Directory Domain Controller (DC)?

Domain Controller is the server which holds the AD database, All AD changes get replicated to other
DC and vise vase

What is Forest?
Forest consists of multiple Domains trees. The Domain trees in a forest do not form a contiguous
name space however share a common schema and global catalog (GC)

What is Schema?

Active directory schema is the set of definitions that define the kinds of object and the type of
information about those objects that can be stored in Active Directory

Active directory schema is Collection of object class and there attributes

Object Class = User

Attributes = first name, last name, email, and others

Can we restore a schema partition?

http://www.windowstricks.in/2014/01/can-i-restore-schema-partition.html

Tel me about the FSMO roles?

Schema Master

Domain Naming Master

Infrastructure Master

RID Master

PDC

Schema Master and Domain Naming Master are forest wide role and only available one on each
Forest, Other roles are Domain wide and one for each Domain

AD replication is multi master replication and change can be done in any Domain Controller and will
get replicated to others Domain Controllers, except above file roles, this will be flexible single master
operations (FSMO), these changes only be done on dedicated Domain Controller so its
single master replication

How to check which server holds which role?

Netdom query FSMO

Which FSMO role is the most important? And why?

Interesting question which role is most important out of 5 FSMO roles or if one role fails that will
impact the end-user immediately

Most armature administrators pick the Schema master role, not sure why maybe they though
Schema is very critical to run the Active Directory

Correct answer is PDC, now the next question why? Will explain role by role what happens when a
FSMO role holder fails to find the answer

Schema Master Schema Master needed to update the Schema, we dont update the schema daily
right, when will update the Schema? While the time of operating system migration, installing new
Exchange version and any other application which requires extending the schema

So if are Schema Master Server is not available, we cant able to update the schema and no way this
will going to affect the Active Directory operation and the end-user

Schema Master needs to be online and ready to make a schema change, we can plan and have
more time to bring back the Schema Master Server

Domain Naming Master Domain Naming Master required to creating a new Domain and creating
an application partition, Like Schema Master we dont cerate Domain and application partition
frequently

So if are Domain Naming Master Server is not available, we cant able to create a new Domain and
application partition, it may not affect the user, user event didnt aware Domain Naming Master
Server is down

Infrastructure Master Infrastructure Master updates the cross domain updates, what really
updates between Domains? Whenever user login to Domain the TGT has been created with the list
of access user got through group membership (user group membership details) it also contain the
user membership details from trusted domain, Infrastructure Master keep this information up-to-date,
it update reference information every 2 days by comparing its data with the Global Catalog (thats
why we dont keep Infrastructure Master and GC in same server)
In a single Domain and single Forest environment there is no impact if the Infrastructure
Master server is down

In a Multi Domain and Forest environment, there will be impact and we have enough time to fix the
issue before it affect the end-user

RID Master Every DC is initially issued 500 RIDs from RID Master Server. RIDs are used to
create a new object on Active Directory, all new objects are created with Security ID (SID) and RID is
the last part of a SID. The RID uniquely identifies a security principal relative to the local or domain
security authority that issued the SID

When it gets down to 250 (50%) it requests a second pool of RIDs from the RID master. If RID
Master Server is not available the RID pools unable to be issued to DCs and DCs are only able to
create a new object depends on the available RIDs, every DC has anywhere between 250 and 750
RIDs available, so no immediate impact

PDC PDC required for Time sync, user login, password changes and Trust, now you know why the
PDC is important FSMO role holder to get back online, PDC role will impact the end-user
immediately and we need to recover ASAP

The PDC emulator Primary Domain Controller for backwards compatibility and its responsible for
time synchronizing within a domain, also the password master. Any password change is replicated to
the PDC emulator ASAP. If a logon request fails due to a bad password the logon request is passed
to the PDC emulator to check the password before rejecting the login request.

Tel me about Active Directory Database and list the Active Directory Database files?

NTDS.DIT

EDB.Log

EDB.Che

Res1.log and Res2.log

All AD changes didnt write directly to NTDS.DIT database file, first write to EDB.Log and from log file
to database, EDB.Che used to track the database update from log file, to know what changes are
copied to database file.
NTDS.DIT: NTDS.DIT is the AD database and store all AD objects, Default location is the %system
root%\nrds\nrds.dit, Active Directory database engine is the extensible storage engine which us
based on the Jet database

EDB.Log: EDB.Log is the transaction log file when EDB.Log is full, it is renamed to EDB Num.log
where num is the increasing number starting from 1, like EDB1.Log

EDB.Che: EDB.Che is the checkpoint file used to trace the data not yet written to database file this
indicate the starting point from which data is to be recovered from the log file in case if failure

Res1.log and Res2.log: Res is reserved transaction log file which provide the transaction log file
enough time to shutdown if the disk didnt have enough space

What RAID configuration can be used in Domain Controllers?

http://www.windowstricks.in/2010/07/recommended-raid-configuration-and-disk.html

Can we keep OS, log files, SYSVOL, AD database on same logical Disk?

http://www.windowstricks.in/2010/07/recommended-raid-configuration-and-disk.html

AD Interview Questions (Part 2)

What is Active Directory Partitions?

Active Directory partition is how and where the AD information logically stored.

What are all the Active Directory Partitions?

Schema
Configuration
Domain
Application partition

What is use Active Directory Partitions? And

How to find the Active Directory Partitions and there location?
Schema Partition It store details about objects and attributes. Replicates to all domain controllers
in the Forest

DN location is CN=Schema,CN=Configuration,DC=Domainname, DC=com

Configuration Partition It store details about the AD configuration information like, Site, site-link,
subnet and other replication topology information. Replicates to all domain controllers in the Forest

DN Location is CN=Configuration,DC=Domainname,DC=com

Domain Partitions object information for a domain like user, computer, group, printer and other
Domain specific information. Replicates to all domain controllers within a domain

DN Location is DC=Domainname,DC=com

Application Partition information about applications in Active Directory. Like AD integrated DNS is
used there are two application partitions for DNS zones ForestDNSZones and DomainDNSZones,
see more

How to configure Active Directory Partitions?

You can only configure the Application partition manually to use with AD integrated applications,
refer to this article for details on that

How to create DNS zone in Application Directory Partition?

see on my previous article

How to move the DNS zone from Domain Partition to Application partition?

see on my previous article

How to take active directory backup?

System state backup will backup the Active Directory, NTbackup can be used to backup active
directory

Active Directory restores types?

Authoritative restore
Non-authoritative restore
Non-authoritative restore of Active Directory
Non-authoritative restore is restore the domain controller to its state at the time of backup, and allows
normal replication to overwrite restored domain controller with any changes that have occurred after
the backup. After system state restore, domain controller queries its replication partners and get the
changes after backup date, to ensure that the domain controller has an accurate and updated copy
of the Active Directory database.
Non-authoritative restore is the default method for restoring Active Directory, just a restore of system
state is non-authoritative restore and mostly we use this for Active Directory data loss or corruption.

How perform a non-authoritative restore?

Just start the domain controller in Directory Services Restore Mode and perform system state restore
from backup

Authoritative restore of Active Directory

An authoritative restore is next step of the non-authoritative restore process. We have do non-
authoritative restore before you can perform an authoritative restore. The main difference is that an
authoritative restore has the ability to increment the version number of the attributes of all objects or
an individual object in an entire directory, this will make it authoritative restore an object in the
directory. This can be used to restore a single deleted user/group and event an entire OU.

In a non-authoritative restore, after a domain controller is back online, it will contact its replication
partners to determine any changes since the time of the last backup. However the version number of
the object attributes that you want to be authoritative will be higher than the existing version numbers
of the attribute, the object on the restored domain controller will appear to be more recent and
therefore, restored object will be replicated to other domain controllers in the Domain

How perform a non-authoritative restore?

Unlike a non-authoritative restore, an authoritative restores need to Ntdsutil.exe to increment the
version number of the object attributes

What are Active Directory Partitions can be restored?

You can authoritatively restore only objects from configuration and domain partition. Authoritative
restores of schema-naming contexts are not supported.

How many domain controllers need to back up? Or which domain controllers to back up?
Minimum requirement is to back up two domain controllers in each domain, one should be an
operations master role holder DC, no need to backup RID Master (relative ID) because RID master
should not be restored
Can we restore backup of domain controller to other/different domain controller?
Backup of one domain controller cant be restoring to other domain controller, should be restored to
same domain controller

Sysvol Interview Questions and Answers

I would like to share collection of Sysvol and FRS Interview questions and answers this will be asked
on Windows Active Directory administrator job interview

What is the SYSVOL folder and why its used?

The Sysvol folder on a Windows domain controller is used to stores domains Group Policy settings,
default profiles and logon/logoff/startup/shutdown scripts, which is available in C:\Windows\SYSVOL
directory in all domain controllers within the Domain

What is NETLOGON folder?

Netlogon folder contain logon/logoff/startup/shutdown scripts which is inside the Sysvol folder

What is junctions point?

Check more about: Sysvol Junction point

What other folders in Sysvol and Sysvol folder structure/ Contents?

Check more about: netlogon and sysvol folder location

How policies get replicated from one DC to other DC?

Check more about: how sysvol replication works

What is the Difference between FRS and DFS-R?

Check more about: Difference between FRS and DFSR

How to Force sysvol replication?

Check more about: force sysvol replication on Windows 2003 and force sysvol replication on
Windows 2008 and windows server 2012

What is the Sysvol Replication change in Windows 2008?

Check more about: sysvol replication change on windows 2012

Any Sysvol issues which you have faced in your environment?

USN journal wrap Error on sysvol

Morphed folder on Sysvol

FRS replication issues

Sysvol share not sharing May be an replication issue, please event log got more information

Tel me about Non-authoritative restore of SYSVOL or D2 restore

D2 is the default method for restoring SYSVOL and occurs automatically when you do a non-
authoritative restore of the Active Directory

When you non-authoritatively restore the SYSVOL, the local copy of SYSVOL on the restored domain
controller is compared with that of its replication partners. After the domain controller restarts, it
replicates the any necessary changes, bringing it up-to-date with the other domain controllers within
the domain.
Tel me about Authoritative restore of SYSVOL or D4 restore

IN D4 restore a copy of SYSVOL that is restored from backup is authoritative for the domain. After
the necessary configurations have been made, Active Directory marks the local SYSVOL as
authoritative and it is replicated to the other domain controllers within the domain.

How to D2 and D4 restore?

Enable BurFlags registry to D2 or D4

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\
Process at Startup
BurFlags
D2, for nonauthoritative mode restore
D4, for an authoritative mode restore

More info from MS

Windows Group Policy Interview Questions

and Answers
By mail2spi2014 | July 7, 2009

0 Comment

Will share Collection on Windows group policy interview question with details answers, start with
simple L1 questions and continue to L3 questions

What are group policies?

Group policies specify how programs, network resources, and the operating system work for users
and computers in an organization. They are collections of user and computer configuration settings
that are applied on the users and computers (not on groups). For better administration of group
policies in the Windows environment, the group policy objects (GPOs) are used.

What is GPO?

Group policy object (GPO) is a collection of group policy settings. It can be created using a Windows
utility known as the Group Policy snap-in. GPO affects the user and computer accounts located in
sites, domains, and organizational units (OUs). The Windows 2000/2003 operating systems support
two types of GPOs, local and non-local (Active Directory-based) GPOs.

What is Local GPOs/policy?

Local GPOs are used to control policies on a local server running Windows 2000/2003 Server. On
each Windows 2000/2003 server, a local GPO is stored. The local GPO affects only the computer on
which it is stored. By default, only Security Settings nodes are configured. The rest of the settings
are either disabled or not enabled. The local GPO is stored in the %systemroot
%SYSTEM32GROUPPOLICY folder.
What is Non-local Policy?

Non-local GPOs are used to control policies on an Active Directory-based network. A Windows
2000/2003 server needs to be configured as a domain controller on the network to use a non-local
GPO. The non-local GPOs must be linked to a site, domain, or organizational unit (OU) to apply
group policies to the user or computer objects. The non-local GPOs are stored in %systemroot
%SYSVOLPOLICIESADM, where is the GPOs globally unique identifier. Two non-local GPOs are
created by default when the Active Directory is installed:
1. Default Domain Policy: This GPO is linked to the domain and it affects all users and computers in
the domain.
2. Default Domain Controllers Policy: This GPO is linked to the Domain Controllers OU and it affects
all domain controllers placed in this OU.
Multiple GPOs

GPO Apply order

When multiple group policy objects are assigned, the group policies are applied in the
following order:

The local group policy object is applied first

Then, the group policy objects linked to sites are applied
If multiple GPOs exist for a site, they are applied in the order specified by an administrator
GPOs linked to the domains are applied in the specified order
Finally, GPOs linked to OUs are applied
The OU group policy objects are set from the largest to the smallest organizational unit, i.e., first the
parent OU and then the child OU.
By default, a policy applied later overwrites a policy that was applied earlier. Hence, the settings in a
child OU can override the settings in the parent OU
Group policy settings are cumulative if they are compatible with each other. In case they conflict with
each other, the GPO processed later takes precedence.

What is No Override? Block Policy Inheritance?

The following are the exceptions with regard to the above-mentioned settings:

No Override:
Any GPO can be set to No Override. If the No Override configuration is set to a GPO, no policy
configured in the GPO can be overridden. If more than one GPO has been set to No Override, then
the one that is the highest in the Active Directory hierarchy takes precedence

Block Policy Inheritance:

The Block Policy Inheritance option can be applied to the site, domain, or OU. It deflects all group
policy settings that reach the site, domain, or OU from the object higher in the hierarchy. However,
the GPOs configured with the No Override option are always applied
What is Loopback policy?

See more on Loopback policy

Is group policy from Parent Domain cab be inherited to child Domain?

Group Policy Inheritance

The group policies are inherited from parent to child within a domain. They are not inherited from
parent domain to child domain

Following are the rules regarding group policy inheritance:

A policy setting is configured (Enabled or Disabled) for a parent OU, and the same policy setting is
not configured for its child OUs. The child OUs inherit the parents policy

A policy setting is configured (Enabled or Disabled) for a parent OU, and the same policy setting is
configured for its child OUs. The child OUs settings override the settings inherited from the parents
OU

If any policy is not configured, no inheritance takes place

Compatible policy settings configured at the parent and child OUs are accumulated

Incompatible policy settings from the parent OU are not inherited

What is security filtering? Filtering Scope of GPOs

Although GPOs are linked to the site, domain, or OUs, and they cannot be linked to the security
groups directly, applying permissions to the GPO can filter its scope. The policies in a non-local GPO
apply only to users who have the Read and Apply Group Policy permissions set to Allow
By specifying appropriate permissions to the security groups, the administrators can filter a GPOs
scope for the computers and users

Windows GPO Interview Questions and

Answers
How policy will be replicated to one Domain Controller to other?

Check detailed explanation on Sysvol Replication change in Windows 2008

What is Group Policy template (GPT)?

Check Group Policy template

What is Group policy container (GPC)?

Check Group policy container

What is File Replication Services (FRS)?

Check File Replication Services

Sysvol Replication change in Windows 2008?

Check detailed explanation on Sysvol Replication change in Windows 2008

How Group Policy Processing over Slow Link?

http://www.windowstricks.in/2009/07/group-policy-processing-over-slow-links.html

What Tools used to edit the Group policy?

GPMC and GPedit

How to check applied policy details from Client or server?

RSOP.msc (only works windows 2003 and above)

GPRESULT /v
What is .adm file?

Administrative Template are required because Microsoft did not include all Registry settings in the
default Group Policy, if you want to add more customized setting to existing policy then .ADM file can
be created and imported to get the necessary setting

Group policy is not applying/working after

patching (GPO Permission issues)
By ganesamoorthy s | June 21, 2016

1 Comment

You may face GPO issues after installing Microsoft security patch MS16-072, like Printers installed
through group policy is not working, Drive mapping is not working and any other typical GPO
problems caused by group policy settings arent getting applied to the client systems, affected
operating systems are Windows 8.1& 10, Windows Server 2008 and 2012 R2

Also Read: Difference between Windows cumulative update and native Microsoft Windows update

Microsoft release MS16-072 to fix the vulnerability in Microsoft Windows which break the production
Group Policy, what really changes and why this issue occurs, how to prevent and fix this

Also Read: Compare Installed Windows Security Patches with affected and non-affected Servers to
isolate and fix the issue on Windows Server

Issue:

Group policy with security filtered may failed to apply

Why:

Normally all security filtered Group polices will have a read and apply permission to the respective
security groups, so that policy will apply only those users who member of the security group

This issue occurs if read permission is missing to the computers account which user is using

Solution:
Simple solution is you should add the Active Directory computer account to security group or give
Domain computers group / Authenticated Users to read permission to fix this issue for all the domain
joined computers, steps are

Open GPMC.MSC (Group Policy Management Console)

Select the policy
on right site of the console, select delegation
Add the Authenticated Users and select read Permissions
Add the Domain Computers and select read permissions

Also Read: Windows Group Policy Interview Questions and Answers

This patch does not affect the Computer based policies, only affects User policies and use above
procedure to fix the issue, more about the patch (https://support.microsoft.com/en-us/kb/3163622)

More about Windows Server 2016 and Windows Server 2012

How to Import ADMX files for Windows 10

By ganesamoorthy s | June 5, 2016

0 Comment

Group Policy Management Console (GPMC) not showing Windows 10 related

settings/policies

To manage Windows 10 machines through windows group policy you should have Windows 10
Group Policy (.ADMX) templates files and ADML files to your Windows Server 2003/2008/2012 R2
domain controllers, around 190 different templates are available for Windows 10 which help you to
configure different setting on you Windows 10 computers through GPO, below link you
can Download all the ADMX files and ADML files from Microsoft site

https://www.microsoft.com/en-us/download/details.aspx?id=48257

How to Import ADMX files to Managing Windows 10 with Administrative templates

You have to perform below steps from the domain controller where you are using
GPMC.MSC
Copy the downloaded ADMX Files to the folder C:\windows\PolicyDefinitions
Copy the language files (.adml) in the subfolder C:\windows\PolicyDefinitions\EN-US or your
language folder of choice.
And the path is C:\windows or whatever %systemroot% may be on your domain controller
Restart the gpmc.msc and it will show you the new policies available

Also Read: Windows Group Policy Interview Questions and Answers

How to create Central Store to store Administrative Templates files

Domain controllers do not store or replicate redundant copies of .adm files to other Domain
Controllers, so you have to do the above steps to all the Domain Controllers manually or you need to
create a Central Store in the SYSVOL folder on a Windows domain controller and deploy the .admx
files

Create a folder that is named PolicyDefinitions in the below location

\\domainname.com\SYSVOL\domainname.com\policies) on the domain controller
Copy the content of C:\Windows\PolicyDefinitions to
\\domainname.com\SYSVOL\domainname.com\policies\PolicyDefinitions, from any Windows
10 machine
And Copy the downloaded ADMX Files to the
folder \\domainname.com\SYSVOL\domainname.com\policies\PolicyDefinitions
Copy the language files (.adml) in the subfolder
\\domainname.com\SYSVOL\domainname.com\policies\PolicyDefinitions\EN-US or your
language folder of choice

Also Read: Understand SYSVOL Folder Structure

Now you can edit windows 10 setting from any of you Domain Controllers in your environment.

Also Read: PowerShell command to extract Group policy result for a list of Servers

PowerShell command to extract Group

policy result for a list of Servers
By ganesamoorthy s | April 7, 2016

0 Comment
If you are looking for a PowerShell command that can run against list of computers to obtain
computer policy settings in your domain environment, you can use this to compare with working and
not working servers to fix the issue and also used for GPO reporting

Also Read: Enable Powershell Remoting on Windows server 2008 R2 and 2012

Input file needs to be created (serverlist.txt) and c:\temp location and update the file with server list
which will be used to extract the group policy output

Run below PowerShell command to export all Group Policies to Text File:

Need to import the PowerShell module before run the command then only the GroupPolicy related
command will work

Import-Module GroupPolicy

Run the PowerShell script below:

$RemoteComputers = Get-Content -Path C:\temp\serverlist.txt

foreach ($computer in $RemoteComputers)

Get-GPResultantSetOfPolicy -Computer $computer -ReportType htm -Path C:\temp\rsop\$computer.htm

Out put file will be created for each servers in the input file with servername.htm on c:\temp\resop\,
now you have GroupPolicy result for all the servers

Also Read: Interesting oneline script written using windows command

Difference between windows server 2008 and 2012

Deploy and distribute new Print Queue to all

Workstations through Group Policy on
Windows Server 2012
By ganesamoorthy s | December 23, 2015

0 Comment

How to setup & configured new PrintQueue in the dedicated Print server and deployed to all the
users through GPO, if you want to configure for single user then its simple access print server by
\\PrintServer and then double click on the printqueue object to install on client machine locally, if this
needs to done for thousands of users to managed print services then which is the best way to do
this? Native procedure is configure through Startup Scripts to configure for computer object or logon
Scripts to configure users, is there any simple easy settings to do the same in Windows Server
2012? I also discussed how to Install printer through Print Management on Print Server

Also See: Print spooler stopping automatically on Windows Server 2012, 2008 Print Server

Setting up Printers via Group Policy on Server 2008 and 2012

Use existing GPO or create one for this

Note: Make sure printer is shared and published to active directory before you assigned to group
policy

Also See: Print spooler stopping automatically on Windows 10 other client Operating system

How to configure additional printer drivers to support different operating system

After configuring the printer deployment over the group policy, now need to add additional printer
drivers to support all the OS which printer been deployed like Windows 7, 8 and windows 10 or any
other server operating system like windows server 2003/2012 with 32bit and 64bit

Login to print server

Open Control Paneland
Browse to Devices and Printers
Click Print Server Properties on top of the window
Click Add Driver
Follow the steps to add different OS
And Repeat the same for other Operating systems

Also See: Printer showing offline Windows 10

Using the above method printers can be deployed automatically to all the client systems with different
operating system, and its always recommended to deploy for computer accounts, not for user
accounts so that printer will be installed while the time of startup/power on and all the users will get
the installed printer

And Other Printer problems and issues with solution

Install printer through group policy

By mail2spi2014 | July 21, 2011

0 Comment

Deploying printers via group policy using Print Management console, if your not installed Print
Management then Install Print Management by adding or updating the print server role through
Manage Your Server

Deploying printers through GPO

o Open the Print Management console and select the printer you want to install.

o In the results pane, right-click the printer you want to install, then click Deploy with Group Policy

o Click Browse, and then choose a GPO (through which you going to deploy the printer)
o If you want to deploy this printer for user or computer select the appropriate option

o Select the The users that this GPO applies to (per user)
o Select the The computers that this GPO applies to (per machine).

o Click Add

To complete printer deployment on client we have to deploy a PushPrinterConnections.exe to the

client computer so that the client can process the printer connection settings through GPO

Deploy PushPrinterConnections.exe file

We have add PushPrinterConnections.exe to logon script on GPO, so that it will deployed while the
time of user log on

o Open a Gpmc.msc, right-click the GPO with your printer connections settings and click Edit, Add
PushPrinterConnections.exe file

o For per-machine, go to Computer Configuration, Windows Settings, Scripts (Startup/Shutdown).

o For per-user, go to User Configuration, Windows Settings, Scripts (Logon/Logoff).

Ask user to logoff and logon, printer will get installed automatically through GPO, for per-machine
ask user to restart the computer in order to apply updated GPO.

Issue managing IE configuration through

GPO
By mail2spi2014 | June 22, 2011
0 Comment

List of trusted sites went empty recently, yes the Trusted Sites list got empty, it says: No sites are in
this zone how to resolve this issue

We had an issue like some one edited the default domain policy to update the trusted site list and we
have lost entire IE configuration (Like trusted site list) because he used a different account to edit the
group policy, its a known issue in Windows server 2003, why its clear the IE configuration? Lets
explore this

Because Internet Explorer policy settings would change based on the policy settings enabled on the
administrative workstation used to view the settings.

If you edit the Group policy to configure the internet Explorer settings, it will open the internet options
from the system where you modifying the policy, lets say you login with admin account and this
account doesnt linked to any policy including the default domain policy which has the IE
configuration details like trusted sites, if you open and edit the policy to update the trusted site
through GPMC, it should be empty because the admin account used to edit the GPO doesnt linked
to any policy

If you click ok then this empty setting will overwrite the policy settings and this will apply to entire
users, trusted site will be empty for all the users in the domain

Thats why you have to use the admin account that should be linked to the policy you want to edit
(only for IE configuration), while the time of logon the policy will apply and you can able to see the list
of trusted sites and other IE configuration setting and able to append the IE settings without any
issue

Thanks to Microsoft, in windows 2008 this behavior has been changed, you can change the Internet
Explorer policy settings without affecting the policy configuration, because these settings are registry
based settings unlike windows server 2003, more in fo about the GPO features

Group Policy slow link detection on windows

server 2008
By mail2spi2014 | June 6, 2011
1 Comment

Group Policy slow link detection process change on windows server 2008

You can see my earlier article on Group Policy slow link detection

Group Policy Processing over Slow Links in windows 2003(part1)

Group Policy Processing over Slow Links(Part2)

In windows server 2003, Group Policy slow link detection uses the ICMP ping to detect the network
bandwidth. Most of the VPN networks have the issue with this because the clients communicate
through a Firewall with the domain controller

This was a big problem in windows server 2003 because it uses the ICMP ping to detect the network
bandwidth, some of the VPN sites ICMP ping might be disabled in firewall or the MTU size would be
less then the required limit and also ping will increase the network traffic, to overcome this problems
Microsoft come up with solution called NLA (Network Location Awareness)

Network Location Awareness is a service on client computer, it provide necessary information about
the network and GPO uses this to apply the policy settings, most important its not using ICMP ping
and very efficient compare to earlier process in Windows 2003.

SYSVOL Folder Structure

By mail2spi2014 | April 26, 2011

0 Comment

About each folder under the SYSVOL share in Domain Controller

SYSVOL folder used to store a copy of the domains public files like system policies, Group Policy
settings and logon/logoff scripts, which are replicated to all other domain controllers in the Active
Directory domain through File Replication Services (FRS), You can find many folders inside the
SYSVOL share, I would like to explore and explain each folder by how its used in the process of
SYSVOL replication.

SYSVOL Folder Structure

Before I discuss about the SYSVOL folder structure, we should know about the junction points,

Junction point: is a physical location on a hard disk that points to data that is located elsewhere on
the hard disk or on another storage device. Junction points look like folders and behave like folders
but they are not folders. A junction point contains a link to another folder. When a program opens it,
the junction point automatically redirects the program to the folder to which the junction point is
linked

If you open a \%systemroot%SYSVOLsysvol, it actually opens the content in %systemroot

%SYSVOLdomain, you can also see this in command prompt, go to SYSVOL folder in command
prompt and type DIR you can notice some of folder are shown as all are junction points

%systemroot%SYSVOLstaging areasdomainnam pointing to %systemroot%SYSVOLstagingdomain

%systemroot%SYSVOLsysvol pointing to %systemroot%SYSVOLdomain

Staging Folder

When ever you change the GPO settings the corresponding policy folder in SYSVOL get updated
and this change needs to be replicated to other replication members (Domain controller) how its
happens? Staging folder acts like a queue for changed files and folders to be replicated to
downstream partners.

FRS creates a file in staging folder by using APIs (backup application programming interfaces)
based on the change and replicates to the downstream partners, downstream partners use restore
APIs to reconstruct the staging files in the preinstall folder, full file get copied from staging folder to
preinstall folder.

Preinstall folder

Preinstall folder is nothing but the DO_NOT_REMOVE_NtFrs_PreInstall_Directory. Folder located

under the replica root (Domain folder). Files and folders are replicated from the upstream partner
staging folder. After the file or folder is completely replicated, it is renamed to its target location in the
replica tree. So that partially constructed files are not visible in the replica tree

Pre-existing folder

The pre-existing folder, named NtFrs_PreExisting___See EventLog, is an optional folder that is

located under the replica root (Domain folder). It may not be available by default like others folders, If
pre-existing folder is present on a replica member then mostly one of the below reasons.

Active Directory Restore:

SYSVOL Non-authoritative restore (also called D2):
Server was pre-staged before it was added to the replica set
Mostly FRS moves existing data in the replica tree to the pre-existing folder and then receives the
updated replica tree from one of the upstream partners and deletes the files inside the pre-existing
folder after the successful completion of replication.

Policies Folder

Policy folder contains the list of folders for each policy, if you create a new Group Policy it will create
a Group policy templates folder on SYSVOL share under policy, it will contain the group policy setting
related to that policy, GPT folder name would be Globally Unique Identifier (GUID) of the GPO that
you created.

Scripts Folder

Script Folder contains all the logon/logoff scripts which is used by the various policies

Why we cant edit/view windows 2008, Vista

and windows 7 GPO settings from windows
2003
By mail2spi2014 | April 1, 2011

0 Comment

Unable to edit/view Group policy settings from windows 2003

If you have mixed environment like Windows XP, Windows Vista and Windows 7 then some of the
group policy changes need to be configure from windows server 2008 or Windows Vista & Windows
7, you cant edit or see the policy settings from windows 2003/windows XP because windows server
2008 Group Policies using ADMX templates unlike the windows 2003 uses the ADM file

Group policy settings are configured through the ADM/ADMX files through the GPMC/GPOE (Group
Policy Management Console / Group Policy Object Editor), Windows server 2003 uses the ADM file
to edit the policy, and Windows server 2008 uses the ADMX file to edit the policy

Anyway it will not affect the client and group policy processing, only difference is the system which is
used to edit the group policy, requires these ADM/ADMX files, Editing Group Policies using ADMX
templates requires that the editing tools be run only on Microsoft Vista, Server 2008 and Windows 7.
ADM templates can be edited on Windows XP or Server 2003

More new group policy settings has been added in windows server 2008 to manage the environment
effectively, all this new settings can be configurable through Microsoft Vista, Server 2008 and
Windows 7, to know more about the Group Policy 2008 Features

Group Policy 2008 Features

By mail2spi2014 | March 21, 2011

0 Comment

Group Policy 2008 Features: I will discusses about the Group policy changes in windows 2008
server, Microsoft have made some of interesting changes and added new features in Group Policy
2008, first I will list the features and explain one by one

New Administrative template files (ADMX)

New Policy settings
o Power options
o Block device installation
o Improved security settings
o Internet Explorer settings management
o Assign printers based on location
o Delegate printer driver installation to users

Group Policy slow link detection

SYSVOL replication change
SYSVOL uses DFS Replication service to replicate Group Policy object files to other domain
controllers (In windows server 2003 uses FRS to replicate this)

Am very interested about the below changes because I have faced several issues related to this in
windows 2003 group policy

Group Policy slow link detection

Internet Explorer settings management
Blocking device installation
SYSVOL replication change

New Administrative template files (ADMX)

In windows server 2003 and earlier versions, ADM file used to store registry based GPO settings, In
Windows server 2008 ADMX file used to store registry based GPO settings, its a XML based and
easy to manage registry based policy settings

ADMX format support Multilanguage, centralized datastore, and version control capabilities, policy
can be edited in other language that was created in English language because Group Policy tools
will adjust the user interface according to the administrators configured language, you can also
create a Central Store for Group Policy Administrative Templates to reduce the disk space, see
article in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=122539)

New Policy settings

Power options: Now you can configure the power option through group policy

Configure power option through GPO:

Computer Configuration ->Administrative Templates -> System -> Power Management

Block device installation: In windows 2003 to block the device assess like USB and CD drive we
have to import the customized ADM file, in windows 2008 its inbuilt yes now you can configure he
device access through group policy
Configure Block device installation through GPO:
Computer Configuration ->Administrative Templates -> System -> Device Installation

Improved security settings: IPsec & firewall setting are combined to provide the enhanced security
and avoid policy duplication

Configure security settings through GPO:

Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advance
Security

Internet Explorer settings management: We had an issue like some one edited the GPO to update
the trusted sites and we have lost entire IE configuration because he used a different account to
change the group policy, its a known concern in Windows server 2003 because Internet Explorer
policy settings would change based on the policy settings enabled on the administrative workstation
used to view the settings.

In windows 2008 this behavior has been changed, you can change the Internet Explorer policy
settings without affecting the policy configuration

Configure Internet Explorer settings through GPO:

Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer
User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer

Click here to Configuring trusted website and activex settings for IE7 or Vista and later versions
using group policy

Assign printers based on location: Install the network printer based on the user location, its very
useful for the roaming user because if the user login to the network other then the base location
GPO will install the printer for the new location.

Assign printers based on location through GPO:

Computer Configuration -> Windows Settings -> Deployed Printers
User Configuration -> Windows Settings ->Deployed Printers

Delegate printer driver installation to users: Now user can install the printer on there system
without admin access, it helps to reduce the security risk and admin effort.

Delegate printer driver installation through GPO:

Computer Configuration -> Administrative Templates -> System -> Driver Installation
Group Policy slow link detection

This was a big problem in windows server 2003 because it uses the ICMP ping to detect the network
bandwidth, some of the VPN sites ICMP ping might be disabled in firewall or the MTU size would be
less then the required limit and also ping will increase the network traffic to overcome this problems
Microsoft come up with solution called NLA (Network Location Awareness)

SYSVOL Replication

In windows server 2003 FRS (File replication service) has been used to replicate SYSVOL folder
changes, in windows server 2008 you can use the DFS (Distributed File System) to replicate
changes on the SYSVOL folder, to use this feature you should have Windows Server 2008 domain
functional level that means all the domain controller has to be Windows Server 2008

If any changes in SYSVOL share, FRS replicate the entire file unlike the DFS, DFS only replicate the
change in the file, sounds like a attribute level Active Directory replication, it compare the source and
destination file using remote differential compression (RDC)

If you are migrated from windows 2003 to windows server 2008, FRS is the default replication
service for SYSVOL replication, you have to migrate the SYSVOL share to use the DFS

Compare to earlier version Group Policy settings has increased from approximately 2,400 in
Windows Server 2008 to optimize the environment and support new features, more info from technet

Active Directory real time issues and

solutions
By ganesamoorthy s | June 9, 2015

0 Comment
As an Windows AD Administrator I have many Active Directory real time issues and solutions, we
have seen the questions like, Tel me about 2 real time issues which you have faced in your current
Active Directory environment, share one or two challenging issues which you have worked and
resolved, Tel me most challenging issues you recently involved

Many of my blog readers are asked to share couple of real time scenarios from my past experience
to preparing for an Windows and Active Directory interview, list of articles from my previous post,
read and understand to face the interview confidently

Active Directory real time issues and solutions

DNS Entry of Domain Controller is Resolving to Incorrect value

Replsummary showing unknown for largest delta on AD replication checks

Domain Controller failed test Machineaccount on DCDIAG

AD Slow Authentication and prompting for credentials again and again

How secure channel determine the Domain controller in cross-forest

Active directory Troubleshooting

Active Directory Replication failed with Target principal name is incorrect

Replication failed with The destination server is currently rejecting replication requests Error

Troubleshoot Active Directory Server Replication

Group Policy (GPO) real time issues and solutions

Issue managing IE configuration through GPO

Why we cant edit/view windows 2008, Vista and windows 7 GPO settings from windows 2003

Gpresult failed with ERROR Access Denied

Home page URL not working for IE7

GPO update failed in Slow Link VPN site with Event ID 1000 and 1054
Group Policy Processing over Slow Links

Group Policy slow link detection on windows server 2008

Other real time issues and solutions, Printer, User Profile and Account lockout

Account lockout

How to resolve the Print Spooler service crash issue (Print spooler service is not running)

How to find the domain controller that contains the lingering object

Reconfigure roaming profile folder and home folder permission for all the users

Roaming profile issues

Active Directory Replication

Replsummary showing unknown for largest delta

on AD replication checks
Largest delta would report as unknown on Source DC while running Repadmin /replsummary for
your Domain and Forest, since its showing unknown and didnt see the replication delta value and
unable to find the affected Destination DC, will describe how to find the Destination DC

Why its reporting unknown?

Lets say if the new replication connection object has been created by KCC and its failed before
complete the first replication cycle or yet to complete the first replication cycle , so replication
destination has never replicated from the source and Repadmin /showrep shows Last success @
(never). Then largest delta would report as unknown

How to find the affected Destination DC?

Also Read: Active Directory Replication failed with Target principal name is incorrect

Its not easy to find the Destination DC, since the connection object has not completed the first
replication cycle, it wont be available from Repadmin /replsummary output

Need to query each connection object from the Forest to find the Destination DC

Csvde -f c:\temp\list.csv -d "CN=Configuration,DC=Domainname,DC=com" -r (fromServer=*) -l

fromserver

list.csv file contains all the connection object DN from your Forest and there fromserver attribute
value

Search the list.csv with Source DC(fromserver attribute value), you will find
the unknown Destination DC on the same line ( connection object DN), need to do many search till
you get the correct Destination DC

This can be easy in a very small environment with less then 10 Domain Controller, you can check
this manually by running repadmin /showrep on each Domain Controller, let say you have a very
large environment with more then a 100 DC then manual method cant be easy and above procedure
will find this in a easy way, hope this will help you to troubleshoot Active Directory replication issues

Also Read:Replication failed with The destination server is currently rejecting replication requests
Error
Active Directory Replication failed with Target
principal name is incorrect
Active Directory Replication failed with Target principal name is incorrect

If you have issue with the computer account of the domain controller then you may receive target
principal name is incorrect or access denied error while the time of replication

To check the computer account run the below command from affected domain controller where you
receive the error

net view \\DC Name

net use \\DC Name

If you receive access denied error then its confirm computer account issue, to resolve this issue, you
have to reset the computer account, reset the secure channels between these domain controllers
and the PDC

Run the below command to reset the computer account,

Before running this command, disables the Kerberos Key Distribution Center service (KDC).

And this command should be run from the domain controller in which you are going to reset the
password, server_name should be PDC or the replication partner

netdom resetpwd /server:server_name /userd:domain_nameadministrator

/passwordd:administrator_password

More info: http://support.microsoft.com/kb/288167

Replication failed with The destination server is
currently rejecting replication requests Error
Also receive error The source server is currently rejecting replication requests. This operation will
not continue in windows server 2008/2003 and Active Directory replication stopped working,
possibly the inbound and outbound replication been disabled on the domain controller

Use the below repadmin command to check the inbound and outbound connection object status

repadmin /options DC name

You may receive the error similar like below, then the inbound and outbound connection object been
disabled

Current DC Options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL

If its disabled then run the below command to enable the inbound and outbound connection object

repadmin /options DC Name -disable_inbound_repl

repadmin /options DC Name -disable_outbound_repl

If its been disabled automatically after some time (15 min) then its an issue with the Lingering
Objects, you have to check the event viewer for the Event ID 1988

If your environment configured with Strict Replication Consistency, then the Inbound replication of the
directory partition of the lingering object has been blocked on the destination domain controller.

You have to remove the Lingering Objects to resolve this issue

Also check Troubleshoot Active Directory Server Replication for other ad replication issues
Sync the Active Directory replication between two
domain controllers in low bandwidth sites
Normally replication fails, if it doesnt have enough bandwidth to complete the scheduled replication,
you can use the below command to Sync the Active Directory replication between two domain
controllers in low bandwidth sites.

Syntax:
repadmin /replicate destination_dsa source_dsa Naming Context /async

Example:
repadmin /replicate server2.test.com server1.test.com dc=test,dc=com /async

Destination server Name: server2.test.com

Source server Name: server1.test.com
Naming Context : dc=test,dc=com (Domain partition)

/async switch to specifies that the replication will be asynchronous.

This means that Repadmin starts the replication, but it does not expect an immediate response from
the destination domain controller. Use this parameter when there are slow links between domain
controllers.

Run this command and check for replication event in Directory services event log, if you get the RPC
error then you have to run the command again, you need to follow this procedure till the replication
gets completes

Note: This will help only for some scenarios; if you have very low bandwidth sites then this will not
help, you have to resolve the network issue or have to upgrade the network bandwidth in order to
complete the Active Directory replication.

Force active directory replication

use the same command to Force active directory replication without /async for Sync Active Directory
replication between two domain controllers in normal bandwidth
Sync replication with all of its replication partners
Force the active directory replication with the entire replication partner

In some scenario you want to force active directory replication with the entire replication partner, let
say you have a 10 connection objects corresponding to each of its replication partners and you want
to force the replication to all the connection objects on server1.test.com, you can use the blow
command.

Syntax:
repadmin /replicate destination_dsa Naming Context /allsources

Example:
repadmin /replicate server1.test.com dc=test,dc=com /allsources

Destination server Name: server2.test.com

Naming Context: dc=test,dc=com (Domain partition)

Sync the Active Directory replication between two

domain controllers
Force the active directory replication between two domain controllers

If you want to override the replication schedule or dont want to wait for the normal replication
scheduled, need to initiate a replication immediately from server1.test.com to server2.test.com, you
can use the below commands
Syntax:

repadmin /replicate destination_dsa source_dsa Naming Context

Example:

repadmin /replicate server2.test.com server1.test.com dc=test,dc=com

Destination server Name: server2.test.com
Source server Name: server1.test.com
Naming Context : dc=test,dc=com (Domain partition)

Note: you should have a connection object between the source and destination domain controllers in
order to complete this command

In this example we are not forcing the Active Directory replication, we only Sync the Active Directory
replication between two domain controllers or initiating the Active Directory replication between two
domain controllers

If want to force the Active Directory replication you have to use the /force switch

Syntax:
repadmin /replicate destination_dsa source_dsa Naming Context /force

Example:
repadmin /replicate server2.test.com server1.test.com dc=test,dc=com /force

If use the /force switch, this will override the Disable Replication option on a directory server

Note: Do not use this parameter unless you are certain that replication has been disabled, and that
you want to override this setting

How to check Active directory replication for

multiple Domain Controllers
To check Active directory the replication for multiple Domain Controllers

Normally repadmin /showreps command has been used to get the replication status for an particular
Domain Controller, let say I want to check the Active directory the replication for multiple Domain
Controllers, you can use the below command

for /f %a in (list.txt) do repadmin /replsummary %a

Note: You should run this command from where the input file (list.txt) there
And this command will check all the servers in the input file (list.txt)

If you want to check the Active directory replication for all the DCs from a site, you can use the
below command

repadmin /replsummary site:Site Name

If you want to check the replication with the wildcard character, that server name starts with MG, you
can use the below command

repadmin /replsummary mg*

Active Directory Health Check

How to perform active directory health check: As an administrator you have to check your active
directory health daily to reduce the active directory related issues, if you are not monitoring the health
of your active directory what will happen

Lets say one of the Domain Controller failed to replicate, first day you will not have any issue. If this
will continue then you will have login issue and you will not find the object change and new object,
thats created and changed in other Domain Controller this will lead to other issues

If the Domain Controller is not replicated more then 60 days then it will lead to Lingering issue

Command to check the replication to all the DCs(through this we can check Active Directory
Health)

Repadmin /replsum /bysrc /bydest /sort:delta

You can also save the command output to text file, by using the below command

Repadmin /replsum /bysrc /bydest /sort:delta >>c:replication_report.txt

This will list the domain controllers that are failing to replicate with the delta value
You can daily run this to check your active directory health
Force sysvol replication
Your can restart the FRS service to force FRS replication in an active directory

To restart the FRS service, launch services.msc from the Run option on the Start Menu
And restart the FRS service and you will get the Event ID 13516 on FRS event log this will ensure
the FRS status is fine

Learn more on Force FRS/SYSVOL Replication on windows server 2008 and 2012

How do I force Sysvol replication in an active directory

Forcing Sysvol replication through NTFRSUTL

If you want to force sysvol replication between two domain controllers in an active directory then use
the below procedure

NTFRSUTL FORCEREPL Command-Line Option to Force Replication

You can use the new ntfrsutl forcerepl command to enforce replication regardless of the predefined
replication schedule. This is only implemented for the domain controller Sysvol replica set.

ntfrsutl forcerepl [Computer] /r [SetName] /p [DnsName]

This command forces FRS to start a replication cycle. You must specify the Computer, SetName and
DnsName.

Note In this command, the following placeholders are used:

[Computer] = Connect with the NtFrs service on this machine.
[SetName] = The name of the replica set.
[DnsName] = The DNS name of the inbound partner to force replication from.

For example:

ntfrsutl.exe forcerepl DestinationDC /r Domain System Volume (SYSVOL share) /p

SourceDC.domain.com
The quotation marks in this example are required when you use the /r option. If the quotation marks
are not present, the command will not work.

Force SYSVOL replication on Windows 2008/Windows 2012

Understand more about SYSVOL folder structure

General SYSVOL troubleshooting

How SYSVOL replication works

Force FRS Replication on windows server 2008 and 2012

Force active directory replication(Force AD

replication)
How do I synchronize/Force AD replication between two domain controllers in a Domain, normal AD
replication is scheduled however some time we require to synchronize manually

There is many ways to do this we will see one by one

Force active directory replication / Force AD replication through the

Microsoft Management Console (MMC) or Forcing replication through
Active Directory Sites and Services snap-in

1. Go to Start > Programs > Administrative Tools > and open the Active Directory Sites and
Services MMC.
2. Expand the Sites container in the left pane by clicking the plus (+) to the left of it.
3. Expand the container that represents the name of the site containing the server that needs to be
synchronized.
4. Expand the Servers container and then expand the target server to display the NTDS settings
object.
5. Click the NTDS Settings option. In the right pane should now be a list of the target servers
replication partners.
6. Right click a connection object in the right pane and click Replicate Now
Force active directory replication through Replmon Tool

1. Go to Start > Run > type replmon >and this will open a Replmon console
2. Click on > edit and select > Add monitored server
3. Select >Add the server explicitly by name >Next
4. Enter the server name that needs to be synchronized > Finish
5. Expand the Partition that needs to be synchronized (Exg: Domain partition)
6. Select the connection object needs to be synchronized
7. Right click a connection object and click Synchronize with this replication partner
8. Wait for the replication
9. You will get the status message once the replication get completed
10. If any error while the time of replication then you will get the meaningful error message

Force active directory replication through Repadmin command

Open the Command prompt CMD

Syntax:
repadmin /replicate destination_dsa source_dsa Naming Context

Example:
repadmin /replicate server2.Domain.com server1.Domain.com dc=Domain,dc=com

Destination server Name: server2.Domain.com

Source server Name: server1.Domain.com
Naming Context : dc=Domain,dc=com (Domain partition)

Additional switches

/force
This parameter is used to override the Disable Replication option on a directory server. Do not use
this parameter unless you are certain that replication has been disabled, and that you want to
override this setting.

/async
Specifies that the operation will be asynchronous. This means that repadmin starts the replication
event, but it does not expect an immediate response from the destination directory server. Use this
parameter when there are slow links between directory servers.
/full
Forces a full replication of all objects from the destination directory server.

/allsources
A given destination can have multiple sources for the same naming context. Directs the destination
to sync with all sources instead of just one. This parameter cannot be used with source_dsa.

Force replication with all of its replication partners

I would strongly recommend to use the Replmon tool or repadmin command,to force active
directory replication since you will get the meaningful error message and the status message
once the replication get completed

ACTIVE DIRECTORY TROUBLESHOOTING

Windows Server 2012 Active Directory Trust

Relationship Problem
By ganesamoorthy s | June 16, 2016

0 Comment

You use to get the error message The security Database on the server does not have a computer
account for this workstation trust relationship. or shows Login ID or password incorrect while the
time of logon on Windows Server 2012 R2, most recommended solution is re-join toActive
Directory Domains or rebuild the server to fix the issue, before doing re-join/rebuild just make sure all
the configuration like SPN (ServicePrincipalName), UPN (UserPrincipalName) are correctly
configured, will discuss in detail with steps

Also Read: How to troubleshoot workstation Trust relationship issues on Domain

Will get the error like below while the time of Domain Login
How to check UserPrincipalName and DNSHostName

Go To Run
Type ADSIEDIT.msc
Browse to the computer object
Click Properties
Check the UserPrincipalName and DNSHostName Value
UserPrincipalName should be computername@Domainname([email protected])
DNSHostName should be computername.domainname (computer1.windowstricks.in)
Correct the value if require

Also Read: Domain Account unable to log-in with cached credentials on Windows 10

How to check the ServicePrincipalName

Open CMD
Type below command setspn l computername (setspn l computer1)
You should get below result
HOST/computer1
HOST/computer1.windowstricks.in
Correct the value if require

Also Read: Shortcut Keys for Windows server 2012 and 2012 R2

If the affected servers are on VM

Check the Time and time sync issue on affected servers, If servers are hosted on VMs then disable
time sync on vmware, so that all client will sync their time from domain PDC, check my previous
article Can my hyper-v server be a Windows Time Server?
Also Read: Differences between Windows Server 2012 R2 Hyper-V and Hyper-V Server 2012 R2

Also Try this

Issue may be with NETBIOS Name on Domain name, try to rejoin back to Domain using NETBIOS
Nam(domain), unlike the Domain FQDN (domain.com) while joining the affected server to Domain

If any of above solution fixing the issue, re-join the affected server back to Domain and also try to
rebuild the server to fix the issue

Account lockout caller computer name

blank, CISCO, workstation and domain
controller
By ganesamoorthy s | June 10, 2016

0 Comment

I have worked on many complicated account lockout issues, lockout event showing wrong source
machine like caller computer name empty, workstation, Cisco, and some time it shows the domain
controller name itself, some time workstation name in the lockout event does not exist in AD, in my
earlier article (Account Lockout) have explained how to find the source of lockout without any tools,
in this post I will explain in details how to find the exact correct offending system

Also Read: Active directory user attributes auditing using object Meta

Since we are using multiple applications with single sign on (SSO) and having different
forest/Domain environment which complicate the simple lockout issue, no worries! For all the above
issue almost same solution which help you to fix the issue

If lockout causing system not within Active Directory then you will see issue like this, and application
like proxy server, messaging application like exchange server, Java application, UNIX system which
is not directly connected to active directory services

Also Read: Lastlogon and Lastlogontimestamp attribute value in CSVDE output

Enable netlogon logging for account lockout on Source DC

First Enable netlogon logs on source DC and review the log on lockout time, you find the lockout
system/server details with IP address

Open CMD with Admin privilege (Command prompt)

Run below command
Nltest /DBFlag:2080FFFF
And run below commands to restart netlogon Service
net stop netlogon
net start netlogon

Wait for next lockout and open %windir%\debug\netlogon.log to review the logs

Also Read: How to extract bulk object from AD with list of attributes (Part 1)

Further Analysis to trace the lockout system

Some time even netlogon logs point to different DC/server, in that case you have to enable Enable
netlogon logs on that DC/server to find the source of lockout

In my experience, find the sample account lockout scenario

Child Domain DC showing the root Domain DC

Root Domain DC shows the Trusted Domain DC
Trusted Domain DC shows different DC from Same Domain
Again this DC shows exchange server
Exchange server shows the handheld device IP

All you have to do trace the lockout system by enabling netlogon logs to reach the actual lockout
system

Also Read: Windows Server Administrator Interview Questions and Answers

How to find Computers with Trust

relationship issues on your Domain
By ganesamoorthy s | April 17, 2016
0 Comment

One of my readers facing the problem is that many of the PCs are having Trust relationship issues
but he doesnt have a list of PCs which are having this issue. The users are able to login to the
domain account in these PCs and Group policies also seem to work in many of these PCs

Before list the workstation with Trust relationship issues on your Domain, read How to troubleshoot
workstation Trust relationship issues on Domain, on my previous article, checking a single computer
is easy one, just use the net command and loop command can be used for list of computers

Also Read: AD Slow Authentication and prompting for credentials again and again

How to find computer account issue

You can check this with net command to check the trust relationship, run this from local Domain
controller with Domain Admin permission

net use \\computername

net view \\computername

Computer must me connect to network to check this, you will get the Access is denied error or any
other error

Also Read: Active Directory Replication failed with Target principal name is incorrect

Comman To check this for list of Computers or all Domain joined systems

Looping can be used to check the bulk computers, like below command
For /f "tokens=1-3 delims=;" %a in (list.txt) do net use \\"%a" >>c:\temp\result.txt

Review the result file to find the affected computers in the newtwork

Also Read: Active directory Troubleshooting (Part1 Diagnostics Logging)

Powershell Command to check Trust relationship issues on all the computers in a Domain

Import-Module ActiveDirectory

$computers = Get-ADComputer -Filter *

Foreach ($computer in $computers)

Enter-PSSession -ComputerName $computer -Credential #<Provide the username>#

Invoke-Command -ComputerName $computer -ScriptBlock { $a = Test-ComputerSecureChannel }

if ($a -eq 'True')

Add-Content "c:\ComputerDetailsWithCorrectTrustRelationship.txt" $computer + ";" + $a

else

Add-Content "c:\ComputerDetailsWithWrongTrustRelationship.txt" $computer + ";" + $a

}
}

How to troubleshoot workstation Trust

relationship issues on Domain
By ganesamoorthy s | April 11, 2016

0 Comment

How Trust relationships affect the Computers?

Domain joined workstations and member servers are had a Trust relationship with Domain in order to
authenticate, and reset the computer account password every 30 days by default, you will get the
below error if any mismatch between computer password on workstation and on Domain controller

Also Read: Active Directory Replication failed with Target principal name is incorrect

Also Read: AD Slow Authentication and prompting for credentials again and again

Event ID 5723: The trust relationship between this workstation and the primary domain failed.

The session setup from the computer DOMAINMEMBER failed to authenticate.

The name of the account referenced in the security database is DOMAINMEMBER$.

How to check and confirm computer account issue

You can check this with net command to check the trust relationship, run this from local Domain
controller with Domain Admin permission

net use \\computername

net view \\computername

Computer must me connect to network to check this, you will get the Access is denied error or any
other error

Also Read: Domain Controller failed test Machineaccount on DCDIAG

Why this error occurs/ trust relationship between this workstation and the primary domain
failed

As I said all computer account change the password every 30 days by default, while doing the
password change it contacted authenticated Domain Controller/ secure channel (SC) Domain
Controller, if any network issue between Domain controller and workstation will affected the new
change password update to DC and that cause the issue

Also Read: Active directory Troubleshooting (Part1 Diagnostics Logging)

Solution:

Mostly this will affect the legacy operating system like Windows Xp/windows server 2003, just disjoin
and rejoin the machine to the domain to resolve the issue, you should have a required permission to
do this

Operating system like windows server 2008/2012 are not affected by this issue, even the same
solution will apply if you get this issue in windows server 2008/2012 R2

Also Read: Active Directory real time issues and solutions

Monitor NTLM authentication delays and
issues on Windows 2008 and 2012
By ganesamoorthy s | July 26, 2015

0 Comment

Also Read: AD Slow Authentication and prompting for credentials again and again
intermittently and experience time-outs when you connect to Authenticated Services

Install http://support.microsoft.com/kb/2654097 to enable event log entries that track NTLM

authentication delays and failures

After installing the above hotfix, EventLogPeriodicity and WarningEventThreshold registry entries
needs to be configured as per your requirement

Event ID: 5816 to Event ID: 5819 has been logged for if any error or warning condition is met

Some of the issues in application end for NTLM authentication delays

Web Services and Web Proxy:

Web clients are frequently prompted for credentials

Web clients receive delayed responses from the web server.

Exchange client:

Outlook receives delayed responses from the server.

Outlook is frequently prompted for credentials

Some of known issues for high authentication flow and authentication delays

There are highly transactional and heavily used application services in the environment.
There is heavy use of scripts that use the NTLM authentication through WINNT provider
Not properly configured applications and services to use Kerberos authentication (SPN
Configuration to use only Kerberos)

Bottleneck:

Mostly occurs when a high volume of NTLM authentication or Kerberos PAC validation transactions
occur on an application server, and that volume is greater than the volume that can be handled at
one time by the application server or the domain controllers that are providing authentication.

Also Read: Troubleshoot Active Directory Server Replication

Solution:

For applications and services that are using NTLM, just configure them to use Kerberos
authentication only.

Default Maxconcurrentapi Value:

Workstations One of the threads available for use

Member servers Two of the threads available for use

Domain controllers One available thread per security channel to trusted domains

Configure MaxConcurrentApi :

Have a calculation to decide what value to set for the MaxConcurrentApi setting in your
environment to resolve the issue, refer https://support.microsoft.com/en-us/kb/2688798

Also See: Active Directory real time issues and solutions

Replsummary showing unknown for largest

delta on AD replication checks
By ganesamoorthy s | July 12, 2015

0 Comment
Largest delta would report as unknown on Source DC while running Repadmin /replsummary for
your Domain and Forest, since its showing unknown and didnt see the replication delta value and
unable to find the affected Destination DC, will describe how to find the Destination DC

Why its reporting unknown?

How to find the affected Destination DC?

Also Read: Active Directory Replication failed with Target principal name is incorrect

Its not easy to find the Destination DC, since the connection object has not completed the first
replication cycle, it wont be available from Repadmin /replsummary output

Need to query each connection object from the Forest to find the Destination DC

Csvde -f c:\temp\list.csv -d "CN=Configuration,DC=Domainname,DC=com" -r (fromServer=*) -l

fromserver

list.csv file contains all the connection object DN from your Forest and there fromserver attribute
value

This will also be used to check the opposite side of connection object, AD replication is two way pull
replication and repadmin /showrep will show the connection object of respective Domain Controller
and if you want to see what Domain Controller is pulling replication from this Domain Controller, then
above method can be used
This can be easy in a very small environment with less then 10 Domain Controller, you can check
this manually by running repadmin /showrep on each Domain Controller, let say you have a very
large environment with more then a 100 DC then manual method cant be easy and above procedure
will find this in a easy way, hope this will help you to troubleshoot Active Directory replication issues

Also Read:Replication failed with The destination server is currently rejecting replication requests
Error

Active Directory real time issues and solutions

As an Windows AD Administrator I have many Active Directory real time issues and solutions, we
have seen the questions like, Tel me about 2 real time issues which you have faced in your current
Active Directory environment, share one or two challenging issues which you have worked and
resolved, Tel me most challenging issues you recently involved

Active Directory real time issues and solutions

DNS Entry of Domain Controller is Resolving to Incorrect value

Replsummary showing unknown for largest delta on AD replication checks

Domain Controller failed test Machineaccount on DCDIAG

AD Slow Authentication and prompting for credentials again and again

How secure channel determine the Domain controller in cross-forest

Active directory Troubleshooting

Active Directory Replication failed with Target principal name is incorrect

Replication failed with The destination server is currently rejecting replication requests Error
Troubleshoot Active Directory Server Replication

Group Policy (GPO) real time issues and solutions

Issue managing IE configuration through GPO

Why we cant edit/view windows 2008, Vista and windows 7 GPO settings from windows 2003

Gpresult failed with ERROR Access Denied

Home page URL not working for IE7

GPO update failed in Slow Link VPN site with Event ID 1000 and 1054

Group Policy Processing over Slow Links

Group Policy slow link detection on windows server 2008

Other real time issues and solutions, Printer, User Profile and Account lockout

Account lockout

How to resolve the Print Spooler service crash issue (Print spooler service is not running)

How to find the domain controller that contains the lingering object

Reconfigure roaming profile folder and home folder permission for all the users

Roaming profile issues

DNS Entry of Domain Controller are Resolving to
Incorrect value
One of the Domain Controller DNS entries pointing to wrong IP Address (resolving with the wrong IP
address) which is affected Active Directory authentication and other services. This is a unique issue
which I have come across

Its a single forest with multiple child domains as the architecture, when try to resolve one of the child
Domains Domain Controller from other child domain, it resolve to incorrect value and after sometime
the DNS servers will resolve with the correct IP addresses

Affected Domain Controller configured with Correct IP and no issues with DNS resolution with in
same domain, issue seen if we resolve from other child domain and was very intermittent, sometime
resolves correct IP and sometime not

Root Cause:

Cross Domain DNS resolution through DNS zone delegation (not through DNS forwarder
/conditional forwarder), found the wrong IP configured on the NS record from DNS zone delegation
for child domain on root Domain

Domain Controllers on all child domains are configured with DNS forwarder to root Domain and DNS
zone delegation configured for all child domains on root Domain, will able to resolve any Domain
DNS from All the Domains

Solution:

DNS zone delegation with manual NS record that causes the issue, if we change the Domain
Controller IP address, need to change the NS record IP address on DNS zone delegation to avoid
this issue

Need to configure conditional forwarder on all DNS servers for each Domain with multiple IP address
for redundancy
Force DFS Replication/Force DFSR Members to
Replicate on windows server 2008 and 2012
Force sysvol replication on windows server 2008/2012, FRS has been replaced by DFSR Replication
engine for replicating the SYSVOL folders from Windows Server 2008 & wundows server 2012 and
file replication performance has been improved with many new features, Microsoft manage to fix
most of the bottlenecks, improved command line support, Content Freshness, handling unexpected
shutdowns and reporting

Learn more on Force FRS Replication on windows 2000/2003, from my old article

There are many ways to replicate DFSR folders, will start with DFS Management

DFS Management tool includes the ability to force the replication to occur immediately
by overriding the replication schedule

Open DFS Management Tool

On console tree under the Replication node

Select the appropriate replication group

Select Connections tab

Right-click the member you want to use to replicate

And then click Replicate Now

Forcing DFSR replication through Dfsrdiag

You can also force the replication using Dfsrdiag SyncNow command

For Sysvol folder on Domain Controller

Run this from one Domain Controller and specify the other Domain Controllers in the partner
parameter

Dfsrdiag syncnow /rgname:domain system volume /partner:dc2 /time:1 /verbose

For other folders on DFSR Server

Dfsrdiag SyncNow /partner:dfsserver2 /rgname:domainname\app\folder1 /member:dfsserver1

/time:5

Force the replication using the Dfsrdiag PollAD command, DFSR server will check with Active
Directory for replication changes and same has been replicated, need this to be run from destination
DFSR server

c:\Dfsrdiag PollAD

Understand more about SYSVOL folder structure

General SYSVOL troubleshooting

How SYSVOL replication works

Force FRS Replication on windows 2000/2003

Command to find Duplicate SPN

Kerberos requires that the SPN be unique and there should be a single SPN configured for a
particular service with a service account on a computer object, some time we use to get the system
Event 11, find the below example

The KDC encountered duplicate names while processing a Kerberos authentication request. The
duplicate name is <insert name here>. This may result in authentication failures or downgrades to
NTLM. In order to prevent this from occurring remove the duplicate entries for <insert name here yet
again> in Active Directory. more

Command to find duplicate service principal name in active directory

csvde -f C:\Temp\spn.csv -d dc=domain,dc=in -r (ServicePrincipalName=*computer_name*) -l
cn

Above command will return all the object which contain servername on ServicePrincipalName
attribute on domain.in Domain

Finding the Duplicate SPN in Windows 2008 is very simple, yes we have an updated SETSPN
command which has a X and -Q switch and this can be used to find the Duplicate service principal
name

setspn -X

Here are the new switches for SetSPN that ships with Windows 2008:

Modifiers:
-F = perform the duplicate checking on forestwide level
-P = do not show progress (useful for redirecting output to file)

Switches:
-R = reset HOST ServicePrincipalName
Usage: setspn -R computername
-A = add arbitrary SPN
Usage: setspn -A SPN computername
-S = add arbitrary SPN after verifying no duplicates exist
Usage: setspn -S SPN computername
-D = delete arbitrary SPN
Usage: setspn -D SPN computername
-L = list registered SPNs
Usage: setspn [-L] computername
-Q = query for existence of SPN
Usage: setspn -Q SPN
-X = search for duplicate SPNs
Usage: setspn -X

The Q switch is really the nice feature here. This allows you to see if an SPN is already out on your
domain. You could also combine this with the F modifier to look through the whole forest.

C:\>setspn -q MSSQLSvc/computer_name:1433
No such SPN found.

C:\>setspn -q MSSQLSvc/computer_name.mydomain.com:1433
CN=MYMACHINE,OU=Workstations,DC=mydomain,DC=com
MSSQLSvc/mymachine.mydomain.com:1433
HOST/MYMACHINE
HOST/MYMACHINE.MYDOMAIN.COM

Existing SPN found!

For more info https://technet.microsoft.com/en-us/library/cc733945(v=ws.10).aspx

How to find Computers with Trust

relationship issues on your Domain
By ganesamoorthy s | April 17, 2016

0 Comment

Also Read: AD Slow Authentication and prompting for credentials again and again

How to find computer account issue

You can check this with net command to check the trust relationship, run this from local Domain
controller with Domain Admin permission

net use \\computername

net view \\computername

Computer must me connect to network to check this, you will get the Access is denied error or any
other error

Also Read: Active Directory Replication failed with Target principal name is incorrect

Comman To check this for list of Computers or all Domain joined systems

Looping can be used to check the bulk computers, like below command

For /f "tokens=1-3 delims=;" %a in (list.txt) do net use \\"%a" >>c:\temp\result.txt

Review the result file to find the affected computers in the newtwork

Also Read: Active directory Troubleshooting (Part1 Diagnostics Logging)

Powershell Command to check Trust relationship issues on all the computers in a Domain

Import-Module ActiveDirectory

$computers = Get-ADComputer -Filter *

Foreach ($computer in $computers)

{

Enter-PSSession -ComputerName $computer -Credential #<Provide the username>#

Invoke-Command -ComputerName $computer -ScriptBlock { $a = Test-ComputerSecureChannel }

if ($a -eq 'True')

Add-Content "c:\ComputerDetailsWithCorrectTrustRelationship.txt" $computer + ";" + $a

else

Add-Content "c:\ComputerDetailsWithWrongTrustRelationship.txt" $computer + ";" + $a

How to troubleshoot workstation Trust

relationship issues on Domain
By ganesamoorthy s | April 11, 2016

0 Comment

How Trust relationships affect the Computers?

Also Read: Active Directory Replication failed with Target principal name is incorrect

Also Read: AD Slow Authentication and prompting for credentials again and again

Event ID 5723: The trust relationship between this workstation and the primary domain failed.

The session setup from the computer DOMAINMEMBER failed to authenticate.

The name of the account referenced in the security database is DOMAINMEMBER$.

How to check and confirm computer account issue

You can check this with net command to check the trust relationship, run this from local Domain
controller with Domain Admin permission

net use \\computername

net view \\computername

Computer must me connect to network to check this, you will get the Access is denied error or any
other error

Also Read: Domain Controller failed test Machineaccount on DCDIAG

Why this error occurs/ trust relationship between this workstation and the primary domain
failed
As I said all computer account change the password every 30 days by default, while doing the
password change it contacted authenticated Domain Controller/ secure channel (SC) Domain
Controller, if any network issue between Domain controller and workstation will affected the new
change password update to DC and that cause the issue

Also Read: Active directory Troubleshooting (Part1 Diagnostics Logging)

Solution:

Operating system like windows server 2008/2012 are not affected by this issue, even the same
solution will apply if you get this issue in windows server 2008/2012 R2

Office 365 DirSync Error: Unable to update

this object because of missing attributes
By ganesamoorthy s | November 4, 2015

0 Comment

One of our reader has an issue with the Office 365 syncing with their on-premises active directory,
getting below error while running DirSync, error is as follows

Unable to update this object because the following attributes associated with this object have values
that may already be associated with another object in your local directory services

IdFix DirSync Error Remediation Tool identifies the issues with DirSync, and it appears that the
targetAddress and mailnickname attribute is causing the issue and further troubleshooting found the
targetAddress and mailnickname attributes are missing on on-premises AD user account that are set
in office 365
Also Read: Unable to archive older emails in Microsoft Office 365

targetAddress and mailnickname attributes are not under user properties in adsiedit also, so issue
with the attributes not the attributes values

Why targetAddress and mailnickname are requited for Office 365 to DirSync with AD

During co-existence, if Office 365 users need to see Global Address List then targetAddress and
mailnickname attributes are required with other mandatory attributes, you need to populate these AD
attributes

Reed Also: Active Directory on Cloud

Why targetAddress and mailnickname are attributes are missing?

If you cannot find this attributes then need to prepare the AD Schema for Exchange to resolve the
issue, you need to run the below command from the Exchange 2010 media to add this attribute to
the AD Schema

setup /PrepareSchema

Note: Should be member of Schema Admins and Enterprise Admins groups and server should be64-
Bit and holding the Schema Master role (Dont use setup.exe to run this command, just use setup)

Once schema extensions been added, we are able to use idfix to make the changes to my user
object and sync up the changes to azure AD

Also Read: Difference between DirSync, Azure AD Sync and Azure AD Connect

DNS Entry of Domain Controller are

Resolving to Incorrect value
By ganesamoorthy s | May 24, 2015

1 Comment
One of the Domain Controller DNS entries pointing to wrong IP Address (resolving with the wrong IP
address) which is affected Active Directory authentication and other services. This is a unique issue
which I have come across

Root Cause:

Solution:

DNS zone delegation with manual NS record that causes the issue, if we change the Domain
Controller IP address, need to change the NS record IP address on DNS zone delegation to avoid
this issue

Need to configure conditional forwarder on all DNS servers for each Domain with multiple IP address
for redundancy

Active directory user attributes auditing

using object Meta
By ganesamoorthy s | May 12, 2015

1 Comment
On active directory auditing we want to know who, when and where the Active Directory Attributes
are changed, like who removed the group from an Active directory user account, who changed the
account description or any other Active directory object attribute changes

All Active directory object changes are stored in object Meta and can be viewed through repadmin
command, its been very useful if you want to know the last changes on any attributes in an object
(User Object, Computer Object, Group Object and any other AD Object)

To get the LDAP path/ User DN

Dsquery user name <name>

To get LDAP path for Group, Computer, OU and other object, please check Find distinguished name
(LDAP path for the object)

To List the User object Meta

Repadmin /showobjmeta <User DN>

On the above Repadmin /showobjmeta output, list all the attribute changes with attribute name on
the right side and when the change happened with time and date on Org.Time/Date, we also get
the Originating DC

From output, find the attribute name and check the Originating Domain Controller for that
attribute change
Log in to Originating Domain Controller
Open the Event viewer
Select the Security logs
Scroll down to date and time on the Org.Time/Date
Now you will see attribute change Event with who done the change
Event log might get overwritten and you wont able to see the logs for requited date and meta will
only show the last attribute change even it got attribute updated many times, if user membership
removed on Monday and Friday, we only able to find the Fridays change because the user Meta on
Active Directory been overwritten on Friday, you can use this to do active directory auditing

Force DFS Replication/Force DFSR Members

to Replicate on windows server 2008 and
2012
By karthick s | April 23, 2015

0 Comment

Force sysvol replication on windows server 2008/2012, FRS has been replaced by DFSR Replication
engine for replicating the SYSVOL folders from Windows Server 2008 & wundows server 2012 and
file replication performance has been improved with many new features, Microsoft manage to fix
most of the bottlenecks, improved command line support, Content Freshness, handling unexpected
shutdowns and reporting

Learn more on Force FRS Replication on windows 2000/2003, from my old article

There are many ways to replicate DFSR folders, will start with DFS Management

DFS Management tool includes the ability to force the replication to occur immediately
by overriding the replication schedule

Open DFS Management Tool

On console tree under the Replication node

Select the appropriate replication group

Select Connections tab

Right-click the member you want to use to replicate

And then click Replicate Now

Forcing DFSR replication through Dfsrdiag

You can also force the replication using Dfsrdiag SyncNow command

For Sysvol folder on Domain Controller

Run this from one Domain Controller and specify the other Domain Controllers in the partner
parameter

Dfsrdiag syncnow /rgname:domain system volume /partner:dc2 /time:1 /verbose

For other folders on DFSR Server

Dfsrdiag SyncNow /partner:dfsserver2 /rgname:domainname\app\folder1 /member:dfsserver1

/time:5

c:\Dfsrdiag PollAD

Understand more about SYSVOL folder structure

General SYSVOL troubleshooting

How SYSVOL replication works

Force FRS Replication on windows 2000/2003

Command to find Duplicate SPN

By karthick s | April 17, 2015

0 Comment

Find Duplicate SPN: A Service Principal Name (SPN) is a concept from Kerberos. To find a
particular service offered by a particular host within the domain. General Syntax of SPNs is service
class/fqdn@REALM , There are also User Principal Names which identify users, in form
of user@Domain
Kerberos requires that the SPN be unique and there should be a single SPN configured for a
particular service with a service account on a computer object, some time we use to get the system
Event 11, find the below example

Command to find duplicate service principal name in active directory

csvde -f C:\Temp\spn.csv -d dc=domain,dc=in -r (ServicePrincipalName=computer_name) -l

Above command will return all the object which contain servername on ServicePrincipalName
attribute on domain.in Domain

Finding the Duplicate SPN in Windows 2008 is very simple, yes we have an updated SETSPN
command which has a X and -Q switch and this can be used to find the Duplicate service principal
name

setspn -X

Here are the new switches for SetSPN that ships with Windows 2008:

Modifiers:
-F = perform the duplicate checking on forestwide level
-P = do not show progress (useful for redirecting output to file)

The Q switch is really the nice feature here. This allows you to see if an SPN is already out on your
domain. You could also combine this with the F modifier to look through the whole forest.

C:\>setspn -q MSSQLSvc/computer_name:1433

No such SPN found.

C:\>setspn -q MSSQLSvc/computer_name.mydomain.com:1433
CN=MYMACHINE,OU=Workstations,DC=mydomain,DC=com
MSSQLSvc/mymachine.mydomain.com:1433
HOST/MYMACHINE
HOST/MYMACHINE.MYDOMAIN.COM

Existing SPN found!

For more info https://technet.microsoft.com/en-us/library/cc733945(v=ws.10).aspx

How secure channel determine the Domain

controller in cross-forest
By ganesamoorthy s | April 2, 2015

0 Comment

How client computer/member server find the logon Domain Controller from Cress Fores in an Active
Directory envirnment or How secure channel determine the Domain controller in cross-forest

If you are worked on troubleshooting the authentication issues between forests, you might be used
NLTEST tool to check the secure channel Domain controller, did you ever try to know how the
domain controller in one forest select the domain controller in other forest
In a local member server to Domain controller secure channel determined by the site-link and
respective DNS SRV record, like the same way Domain Controller to trusted Domain secure channel
determined by the site-link and respective DNS SRV record if you enabled the Site synchronization

Site synchronization

To locate the closest Domain Controller from the trusted domain, Domain should have knowledge of
the trusted domains site and site-link, you have to define the subnet of the DC in trusted Domain site

its like add the same subnet on both the Forest with corresponding site to match the user
authentication

To check how logon server from trusted forest been determined by the client , check the current
authenticated Domain Controller from client, and check the current secure channel/authenticated
Domain Controller from authenticated DC

Below command has been used to find the current authenticated DC from a Domain

Nltest /dsgetdc:Domain Name

Below command has been used to find the current secure channel Domain controller from
a Domain

Nltest /SC_QUERY:<DomainName>

Below command has been used to reset the secure channel to select different Domain
controller from corresponding Domain/Forest

Nltest /SC_RESET:<DomainName>

This will select the Domain Controller as per the design

If you want to reset the secure channel to select specific Domain controller
from corresponding Domain/Forest

Nltest /SC_RESET:<DomainName> \<DcName>

Seems to be simple and this is how secure channel determine the Domain Controller in Cross Forest

Can I restore a schema partition?

By mail2spi2014 | January 11, 2014
0 Comment

Straightforward answer is NO, Any change done in the schema cant be revert back by deletion or
restore, however we can deactivate the change (like attribute), there is no supported way of restoring
schema from the backup and you cant do authoritative restore of schema partition, the only option is
to do the forest
recovery

If its affected single DC then you can simply remove the DC by performing the metadata cleanup

Here are some of the alternatives for potential roll-back strategies:

1. Isolate schema master by disabling inbound/outbound replication, then perform the schema
update on the schema master, if something goes bad, blow up the schema master and repair the rest
of the forest (seize schema master on another DC and clean out the old schema master).

2. Shut down/stop replication on select DCs, may be 2 DC from each Domain and do the schema
upgrade, if something goes bad, kill all the DCs that were on-line and may have potentially replicated
the bad schema. Light up the DCs that were offline and repair/restore your forest. Please see the
best practice for schema change

Active directory Troubleshooting (Part1

Diagnostics Logging)
By mail2spi2014 | June 13, 2013

2 Comments

How do I find what is accessing my LDAP Server and what LDAP query used
and how many queries for a period of time?

Troubleshooting Active Directory issues like authentication failures, performance issues

and logon issues, we can use different methods to monitor the AD, I will discuss more
about enabling diagnostics logging, adding related counters on performance monitor to
monitor the AD, Enabling debug logging for the Net Logon service

As an Active Directory Administrator did any one asked the questions like, how many
search operations Active Directory performed and who searched from which server?
Number of secure channel connection to which Domain and Domain controller? Number
of Kerberos authentications on the server per second? Number of connected LDAP client
sessions

While doing the troubleshooting you may have this question or some one asked the
question to resolve the issue, am going discuss how to find the answer for this

Also See: How secure channel determine the Domain controller in cross-forest

Active Directory Diagnostics logging

To get more data about the directory service we have to enable Active Directory
Diagnostics logging to respective Domain controllers in the registry
(HKLMSYSTEMCurrentControlSetServicesNTDSDiagnostics)

We have below values in Diagnostics logging, when enabled, it will dump additional
events into the DC event log to assist with troubleshooting. You can change these
values from zero to five, the default value is zero, meaning minimal verbosity, and a
setting of five will dump more than you want, normally I use four (if require five)

Note: Make sure to reset the value to zero when troubleshooting is completed

The most common values for Active Directory Diagnostics logging:

1 Knowledge Consistency Checker

10 Performance Counters
13 Name Resolution (this is DNS related)
15 Field Engineering
18 Global Catalog
2 Security Events
5 Replication Events
8 Directory Access
9 Internal Processing
I have used 15 Field Engineering value many times to find the inefficient LDAP queries
including the client who was the source of the query with query string and the root of
the query. This is important because one of the headaches related to AD is the LSASS
process (Local System Authority Subsystem Service) using up enough resources to
hang or crash a DC and cause client log on delays. Inefficient LDAP queries by a user or
by an application or Linux client log on will put a huge load on LSASS. Enabling this
diagnostic log will quickly identify the affected system or IP address in your network
that casing the problem, so you will know which system searching the AD (querying the
info from AD) and what info the system searching, this will help you to find the root
cause of the issue, it helped me in many occasions

Also See:Active Directory real time issues and solutions

Example Events:
You will receive Event ID: 1643 if the value of 15 Field Engineering set to 4

Event Type: Information

Event Source: NTDS General
Event Category: Field Engineering
Event ID: 1643
Date: 28/05/2012
Time: 1:35:26 p.m.
User: NT AUTHORITYANONYMOUS LOGON
Computer: server1
Description:

Internal event: Active Directory performed the following number of search operations
within this time interval.

Time interval (hours):

Number of search operations:

30937

During this time interval, the following number of search operations were characterized
as either expensive or inefficient.

Expensive search operations:0

Inefficient search operations:0

You will receive Event ID: 1644 if the value of 15 Field Engineering set to 5

If you set the value to 5 you will see an event entry for each search against the
directory that breaches the inexpensive and/or inefficient search thresholds.

Event Type: Information

Event Source: NTDS General

Event Category: Field Engineering
Event ID: 1644
Date: 28/05/2012
Time: 10:06:25 a.m.
User: TMAdministrator
Computer: server1
Description:
Internal event: A client issued a search operation with the following options.

Client:
192.168.100.1

Starting node:
DC=test,DC=com

Filter: ( & (objectClass=user)

(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=test,DC=com)
(sn=z*) )

Search scope:

subtree

Attribute selection:

sAMAccountName

Server controls:

Visited entries:

24579

Returned entries:

Conclusion:

But you wont actually see anything in the event log until you have enabled diagnostics
logging by modifying the registry.

Like that for replication troubleshooting, you can enable 1 Knowledge Consistency
Checker and 5 Replication Events, The 9 Internal Processing value is for getting
additional details for DS events that indicate an internal error has occurred. This will
often cause additional events that will aid in diagnosing the problem

Part 2 of Active Directory Troubleshooting article, hope this will help you
AD Slow Authentication and prompting for
credentials again and again
By mail2spi2014 | December 20, 2013

0 Comment

AD Slow Authentication and prompting for credentials again and again (Active directory
Troubleshooting Part 2)

Its a most common issue in a complicated Active Directory environment, before am going to discuss
about the authentication issues, I would like to discuss about the Active Directory basics like Pass
through authentication, AD secure channel, NTLM and Kerberos

Also See: Active Directory real time issues and solutions

Pass through authentication

If you are worked on multi Domain/Forest environment or environment designed with user forest and
resource forest, an Exchange Server resource forest topology has two forests. One forest contains
the all the user accounts for your organization. This forest is called the user forest (accounts forest).
The other forest does not contain any user accounts. It only contains the Exchange Server and
disabled user accounts, in simple you have one Active Directory forest where your user accounts live
and another Active Directory forest where your application are lives (Exchange server, File server)

In the above scenario Domain controller receiving the request from Exchange/file server to verify the
user access, this must pass the request to Domain controller in the user forest, we should have the
trust between domain of the server (called the resource domain/forest) and the domain of the user
account (called the account domain/forest)

User from Domain A try to access application on server from Domain B, application server in
Domain B doesnt have user detail, it will check the local Domain controller on Domain B through
workstation secure channel, and Domain controller on Domain B check the Domain controller on
Domain A through trusted domain secure channel and Domain A return back the authentication to
Domain B its called the pass through authentication since the user authentication request been
passed to user domain.

Secure Channel

I have discussed about the secure channel, what is secure channel? Its a communication channel
provides more secure communication path between the domain controller and the workstations or
member servers. It can also be used to retrieve domain-specific information, handling NTLM
authentication pass-through to the domain controller or from DC to DC for the same.

Two Forest or Domain connected through Forest trust / Domain trust, trust establishment is a shared
secret (called a trust password) that domain controller use in the two domains for computing the
session key that is used for protecting the secure channel traffic. By using this secure channel, the
DC in the resource domain can pass logon requests securely to the DC in the account domain, in the
same way that the server passed the logon request to the former DC. The secure channel between
DCs in two domains that are connected via a trust relationship is called a trusted domain secure
channel. In contrast, the secure channel between the member server and the DC in the resource
domain is called a workstation secure channel

While adding a computer to domain, computer account has been created in Activity directory and
password been generated for computer account, computer account password been changed every
30 days and stored in computer and domain controller, while power on the computer, Netlogon
service on computer use the computer account password from the computer is authenticated against
the password on the Domain Controller and establishes a secure channel with that DC, same way
server creates a secure channel with that DC it get authenticated

For Domain controller, Netlogon service sets up secure channels with all the trusted domains (one
Domain controller in each trusted domains) you can check this using Nltest command

To check the current secure channel with a particular Domain

nltest /sc_query:Domain Name

To reset secure channel to different Domain Controller (this will randomly select the Domain
Controller)

nltest /SC_RESET: Domain Name

To reset secure channel to a particular Domain Controller

nltest /SC_RESET: Domain Name Domain Controller Name

You can change the Domain and Domain Controller Name as per your requirement

For remote server you can add

/server: server name

NTLM and Kerberos

NTLM and Kerberos are the protocols used for authentication, we all know NTLM is outdated and
Kerberos is the new protocols used for authentication, Kerberos can impersonate a user when
trusted, so no need to contact Domain controller every time in order to authenticate access to a
resource, If the client is logged on to a domain, the browser never prompts the user for credentials; it
simply uses the users default logon credentials.

We are not using NTLM any more? No still some areas where we have to use NTLM for the sake of
compatibility, RPC over HTTP to connect to an Exchange mailbox. ISA for web proxy servers, lets
go in deep how its works

Client opens a URL through browser

Client browser sent a request to proxy server with integrated authentication credentials
The proxy server needs to verify the user credentials, by sending the authentication request
to the domain controller is has a secure channel
That domain controller responds to the proxy server
The proxy server answers the client with the requested internet page
Seems to be simple however for each web connection from a client, the proxy server needs to verify
the user credentials by sending authentication request to the DC, this will increase the high volume
of NTLM authentication

Think the similar scenario in multi Domain/Forest environment, user in one Forest and proxy server
in other Forest, this will increase the NTLM Pass through authentication traffic

NTLM authentication handled by Netlogon service, passing NTLM authentication requests to a

domain controller that can handle them, and receiving them on that domain controller to be handled,
you can enable debug logging for the Net Logon service to see what happen on the proxy server /
domain controller, like which user getting authenticated to which domain controller

We have number of threads which will authentication request, like number of concurrent NTLM
authentications processed by the server, the defaults are typically 1 for this, meaning that there is
one thread to hand off, receive and process these requests, we can re-configure this through
MaxConcurrentApi

The MaxConcurrentApi thread can only deal with one authentication at a time, in normal scenario it
is very quick. So the high volume of authentication transactions must be handled by one or two
threads (by default) and this will be a bottleneck, which resulting the delay and the authentication
request have to wait longer than a remote client can tolerate

Due to this delay, client browser would ask for a credential prompt rather than the web page he want
to open, so this might be the issue for slow Authentication and prompted for credentials again and
again
We can resolve this by increasing the MaxConcurrentApi value on proxy server, if its a multi
Domain/Forest environment, then we needs to increase the MaxConcurrentApi value on resource
forest Domain Controller, it depends on the configuration

First we have to understand current issue

Enable the Netlogon logs on proxy server and Domain Controller authenticating proxy server
or the proxy server secure channeled Domain Controller
Analysis the log for authentication failure and delay
We can monitor the current secure channel traffic through the perfmon by adding the
counters, Semaphore Waiters, Semaphore Holders, Semaphore Acquires, Semaphore
Timeouts, Average Semaphore Hold Time
Logon to Domain Controller authenticating proxy server
Open perfmon, add counters select Netlogon on performance object
And select Average Semaphore Hold Time
If you dont find the counters, need to install http://support.microsoft.com/kb/928576 hot fix,
This adds New performance counters for Windows Server 2003
If the Average Semaphore Hold Time is greater than normal, Average Semaphore Hold Time should
normally be very quick. Longer hold times mean that a potential bottleneck is occurring, it will delay
authentication process and the authentication request has to wait longer than a remote client can
tolerate, it will slowdown the authentication and prompted for credentials to re-initiate the
authentication process

To calculate MaxConcurrentApi for your environment

http://support.microsoft.com/kb/2688798

It depends on the outcome, you should add more servers to service the legacy authentication load or
increase the MaxConcurrentApi registry value

Warning rules:

Average Semaphore Hold Time > 0.2 should be a yellow warning.

Average Semaphore Hold Time > 0 should be a red warning.

Semaphore waiters > 1 should be a yellow warning.

Semaphore waiters > 4 should be a red warning.

Any Semaphore Timeouts is a red warning.

Conclusion:
Slow Authentication might be due to many issues, like client to DC connectivity, network, subnet and
site configuration, DNS SRV configuration, Profile, logon script and GPO, so you have to analysis
properly to find the root cause, this is the one of the scenarios which I have faced many times in a
complex environment, hope this will help you to understand the Active Directory Authentication and
troubleshooting procedures see you soon in an another article.

Active directory Troubleshooting (Part1 Diagnostics Logging)

Troubleshoot Active Directory Server Replication

Active Directory On-premises User name did

not match with their Office365 User name
By ganesamoorthy s | August 2, 2016

0 Comment

If you connect your on-premises active directory toAzure Active Directory and force Directory
synchronization then your local AD users account been replicated to Azure AD, user accounts in
both the AD will be synch with 100 percentage and local On-premises user able connect Office365
their local user and domain login, some time you may see a mismatch between on-premises active
directory to Office 365 username, how to fix this issue? Is there a way to replicate changes on-
premises to AAD to resolve the mismatch?

Also Read: Can we Replace on-premise Domain Controller with Cloud-based Active Directory

Is above scenario you will see the duplicate user account on Azure Active Directory, one replicated
from on-premises active directory and another existing account on office365/AAD

You will see 2 user account after synchronization through the AD connector, now you have two
users in AAD, one existing user from Azure Active Directory and one replicated user from local active
directory, Is there any way to associate or merge these two users together within AAD

Also Read: Office 365 DirSync Error: Unable to update this object because of missing attributes

Solution:
To fix the issue remove newly created account from Azure AD, then use the soft-match mechanism
to link the on-premises object to Office 365 user accounts for directory synchronization

Follow below steps to match an on-premises user to an Azure AD / Office 365 user account
for directory synchronization (SMTP matching)

Make a note ofprimary SMTP address of the target Office 365 user account
Create a user account in on-premises domain that matches the target Azure AD / Office 365
user account
Set primary SMTP address of the newly created user to match the primary SMTP address of
the target Office 365 user account
Force directory synchronization (details steps from MS)

Hope this will help you to fix the issue, come back for more interesting articles on Windows Tricks

Also Read: Difference between DirSync, Azure AD Sync and Azure AD Connect

Other Microsoft Cloud Services and more about Cloud Computing

Can we Replace on-premise Domain

Controller with Cloud-based Active Directory
By ganesamoorthy s | July 1, 2016

0 Comment

If you are looking for cloud-based Active Directory as a replacement for on-premise domain
controller, like Active Directory without on-premise domain controller, we have an Azure Active
Directory is cloud-based identity and access management service hosted in Microsoft datacenter, If
you are looking to get rid of physical Domain Controller then Virtual machine in Azure or AWS is an
option and is fully supported however if you are looking to get away from running a Windows Server
and all of the usual OS maintenance tasks, like patching, group policies, there is no cloud alternative
available.

Also Read: Active Directory on Cloud (Azure Active Directory)

If you dont have any on-premises server dependencies and are using all cloud services such as
Exchange Online and Onedrive for all file storage, or Microsoft Office 365 solutions and just need
basic Windows desktop management, Azure Active Directory and Intune and windows 10 and there
wont be any servers or server OS to manage/support

Also Read: Windows 10 compatibility with Windows Server 2003

So Windows 10 clients cannot directly communicate with an Azure AD, and Azure AD cant used for
user logon authentication, we cant replace on-premise domain controller with cloud-based
Active Directory

However we can join Windows 10 workstation computer to Azure AD Domain, as per Microsoft this is
for the devices that access cloud services and not a recommended solution who need a fully
functional desktop and Active Directory environment, more from MS on Windows 10 Domain Join

Also Read: Can my hyper-v server be a Windows Time Server?

Recommendation:

Why cant use on-prem Domain Controller, VM can be used and its relatively lightweight,
Local Domain Controller can be sync with Azure Active Directory

Domain Controller Can be moved to virtual machines in Azure

We have to set up a site-to-site Azure Virtual Network from your premises network to Azure, and
migrate local Active Directory Domain Controllers and Active Directory Federation Services (ADFS)
to virtual machines in Azure, should be planned well and you should have a good network
connection between local network with MS Azure network to implement this

Also Read: Windows Server Administrator Interview Questions and Answers

How to find Computers with Trust

relationship issues on your Domain
By ganesamoorthy s | April 17, 2016

0 Comment

Also Read: AD Slow Authentication and prompting for credentials again and again

How to find computer account issue

You can check this with net command to check the trust relationship, run this from local Domain
controller with Domain Admin permission

net use \\computername

net view \\computername

Computer must me connect to network to check this, you will get the Access is denied error or any
other error
Also Read: Active Directory Replication failed with Target principal name is incorrect

Comman To check this for list of Computers or all Domain joined systems

Looping can be used to check the bulk computers, like below command

For /f "tokens=1-3 delims=;" %a in (list.txt) do net use \\"%a" >>c:\temp\result.txt

Review the result file to find the affected computers in the newtwork

Also Read: Active directory Troubleshooting (Part1 Diagnostics Logging)

Powershell Command to check Trust relationship issues on all the computers in a Domain

Import-Module ActiveDirectory

$computers = Get-ADComputer -Filter *

Foreach ($computer in $computers)

Enter-PSSession -ComputerName $computer -Credential #<Provide the username>#

Invoke-Command -ComputerName $computer -ScriptBlock { $a = Test-ComputerSecureChannel }

if ($a -eq 'True')

Add-Content "c:\ComputerDetailsWithCorrectTrustRelationship.txt" $computer + ";" + $a

}
else

Add-Content "c:\ComputerDetailsWithWrongTrustRelationship.txt" $computer + ";" + $a

How to troubleshoot workstation Trust

relationship issues on Domain
By ganesamoorthy s | April 11, 2016

0 Comment

How Trust relationships affect the Computers?

Also Read: Active Directory Replication failed with Target principal name is incorrect

Also Read: AD Slow Authentication and prompting for credentials again and again

Event ID 5723: The trust relationship between this workstation and the primary domain failed.
The session setup from the computer DOMAINMEMBER failed to authenticate.

The name of the account referenced in the security database is DOMAINMEMBER$.

How to check and confirm computer account issue

You can check this with net command to check the trust relationship, run this from local Domain
controller with Domain Admin permission

net use \\computername

net view \\computername

Computer must me connect to network to check this, you will get the Access is denied error or any
other error

Also Read: Domain Controller failed test Machineaccount on DCDIAG

Why this error occurs/ trust relationship between this workstation and the primary domain
failed

Also Read: Active directory Troubleshooting (Part1 Diagnostics Logging)

Solution:
Mostly this will affect the legacy operating system like Windows Xp/windows server 2003, just disjoin
and rejoin the machine to the domain to resolve the issue, you should have a required permission to
do this

Operating system like windows server 2008/2012 are not affected by this issue, even the same
solution will apply if you get this issue in windows server 2008/2012 R2

Office 365 DirSync Error: Unable to update

this object because of missing attributes
By ganesamoorthy s | November 4, 2015

0 Comment

One of our reader has an issue with the Office 365 syncing with their on-premises active directory,
getting below error while running DirSync, error is as follows

Unable to update this object because the following attributes associated with this object have values
that may already be associated with another object in your local directory services

Also Read: Unable to archive older emails in Microsoft Office 365

targetAddress and mailnickname attributes are not under user properties in adsiedit also, so issue
with the attributes not the attributes values

Why targetAddress and mailnickname are requited for Office 365 to DirSync with AD
During co-existence, if Office 365 users need to see Global Address List then targetAddress and
mailnickname attributes are required with other mandatory attributes, you need to populate these AD
attributes

Reed Also: Active Directory on Cloud

Why targetAddress and mailnickname are attributes are missing?

setup /PrepareSchema

Note: Should be member of Schema Admins and Enterprise Admins groups and server should be64-
Bit and holding the Schema Master role (Dont use setup.exe to run this command, just use setup)

Once schema extensions been added, we are able to use idfix to make the changes to my user
object and sync up the changes to azure AD

Also Read: Difference between DirSync, Azure AD Sync and Azure AD Connect

Replsummary showing unknown for largest

delta on AD replication checks
By ganesamoorthy s | July 12, 2015

0 Comment

Largest delta would report as unknown on Source DC while running Repadmin /replsummary for
your Domain and Forest, since its showing unknown and didnt see the replication delta value and
unable to find the affected Destination DC, will describe how to find the Destination DC

Why its reporting unknown?

How to find the affected Destination DC?

Also Read: Active Directory Replication failed with Target principal name is incorrect

Its not easy to find the Destination DC, since the connection object has not completed the first
replication cycle, it wont be available from Repadmin /replsummary output

Need to query each connection object from the Forest to find the Destination DC

Csvde -f c:\temp\list.csv -d "CN=Configuration,DC=Domainname,DC=com" -r (fromServer=*) -l

fromserver

list.csv file contains all the connection object DN from your Forest and there fromserver attribute
value

Also Read:Replication failed with The destination server is currently rejecting replication requests
Error
DNS Entry of Domain Controller are
Resolving to Incorrect value
By ganesamoorthy s | May 24, 2015

1 Comment

One of the Domain Controller DNS entries pointing to wrong IP Address (resolving with the wrong IP
address) which is affected Active Directory authentication and other services. This is a unique issue
which I have come across

Root Cause:

Solution:

DNS zone delegation with manual NS record that causes the issue, if we change the Domain
Controller IP address, need to change the NS record IP address on DNS zone delegation to avoid
this issue

Or
Need to configure conditional forwarder on all DNS servers for each Domain with multiple IP address
for redundancy

Active directory user attributes auditing

using object Meta
By ganesamoorthy s | May 12, 2015

1 Comment

On active directory auditing we want to know who, when and where the Active Directory Attributes
are changed, like who removed the group from an Active directory user account, who changed the
account description or any other Active directory object attribute changes

To get the LDAP path/ User DN

Dsquery user name <name>

To get LDAP path for Group, Computer, OU and other object, please check Find distinguished name
(LDAP path for the object)

To List the User object Meta

Repadmin /showobjmeta <User DN>

Event log might get overwritten and you wont able to see the logs for requited date and meta will
only show the last attribute change even it got attribute updated many times, if user membership
removed on Monday and Friday, we only able to find the Fridays change because the user Meta on
Active Directory been overwritten on Friday, you can use this to do active directory auditing

Command to find Duplicate SPN

By karthick s | April 17, 2015

0 Comment

Command to find duplicate service principal name in active directory

csvde -f C:\Temp\spn.csv -d dc=domain,dc=in -r (ServicePrincipalName=*computer_name*) -l
cn

Above command will return all the object which contain servername on ServicePrincipalName
attribute on domain.in Domain

Finding the Duplicate SPN in Windows 2008 is very simple, yes we have an updated SETSPN
command which has a X and -Q switch and this can be used to find the Duplicate service principal
name

setspn -X

Here are the new switches for SetSPN that ships with Windows 2008:

Modifiers:
-F = perform the duplicate checking on forestwide level
-P = do not show progress (useful for redirecting output to file)

The Q switch is really the nice feature here. This allows you to see if an SPN is already out on your
domain. You could also combine this with the F modifier to look through the whole forest.

C:\>setspn -q MSSQLSvc/computer_name:1433
No such SPN found.

C:\>setspn -q MSSQLSvc/computer_name.mydomain.com:1433
CN=MYMACHINE,OU=Workstations,DC=mydomain,DC=com
MSSQLSvc/mymachine.mydomain.com:1433
HOST/MYMACHINE
HOST/MYMACHINE.MYDOMAIN.COM

Existing SPN found!

For more info https://technet.microsoft.com/en-us/library/cc733945(v=ws.10).aspx

How secure channel determine the Domain

controller in cross-forest
By ganesamoorthy s | April 2, 2015

0 Comment

How client computer/member server find the logon Domain Controller from Cress Fores in an Active
Directory envirnment or How secure channel determine the Domain controller in cross-forest

In a local member server to Domain controller secure channel determined by the site-link and
respective DNS SRV record, like the same way Domain Controller to trusted Domain secure channel
determined by the site-link and respective DNS SRV record if you enabled the Site synchronization

Site synchronization

To locate the closest Domain Controller from the trusted domain, Domain should have knowledge of
the trusted domains site and site-link, you have to define the subnet of the DC in trusted Domain site

its like add the same subnet on both the Forest with corresponding site to match the user
authentication
To check how logon server from trusted forest been determined by the client , check the current
authenticated Domain Controller from client, and check the current secure channel/authenticated
Domain Controller from authenticated DC

Below command has been used to find the current authenticated DC from a Domain

Nltest /dsgetdc:Domain Name

Below command has been used to find the current secure channel Domain controller from
a Domain

Nltest /SC_QUERY:<DomainName>

Below command has been used to reset the secure channel to select different Domain
controller from corresponding Domain/Forest

Nltest /SC_RESET:<DomainName>

This will select the Domain Controller as per the design

If you want to reset the secure channel to select specific Domain controller
from corresponding Domain/Forest

Nltest /SC_RESET:<DomainName> \<DcName>

Seems to be simple and this is how secure channel determine the Domain Controller in Cross Forest

Windows Server 2012 Active Directory Trust

Relationship Problem
By ganesamoorthy s | June 16, 2016

0 Comment

Will get the error like below while the time of Domain Login

How to check UserPrincipalName and DNSHostName

Also Read: Domain Account unable to log-in with cached credentials on Windows 10

How to check the ServicePrincipalName

Open CMD
Type below command setspn l computername (setspn l computer1)
You should get below result
HOST/computer1
HOST/computer1.windowstricks.in
Correct the value if require

Also Read: Shortcut Keys for Windows server 2012 and 2012 R2

If the affected servers are on VM

Also Read: Differences between Windows Server 2012 R2 Hyper-V and Hyper-V Server 2012 R2

Also Try this

Issue may be with NETBIOS Name on Domain name, try to rejoin back to Domain using NETBIOS
Nam(domain), unlike the Domain FQDN (domain.com) while joining the affected server to Domain

If any of above solution fixing the issue, re-join the affected server back to Domain and also try to
rebuild the server to fix the issue

Why PowerShell remoting cant be enabled

on a Windows server 2008
By ganesamoorthy s | September 27, 2015

0 Comment

By default PSRemoting is disabled in Windows server 2008, is there any reason why PowerShell
remoting cant be enabled on the Windows server 2008 box? And of course we can enable manually
through multiple ways, any security risks/issues on Windows server

To address about risks/issues of enabling it, there might actually be none. The question is why did
Microsoft have it disabled as default in Windows Server 2008 but enabled in 2012? Usually there are
three reasons why the default behaviour of a service/feature/role changes between OS releases,
surprisingly didnt find any info on public domain

Also Read: Enable Powershell Remoting on Windows server 2008 R2 and 2012

Some of my understanding why PowerShell remoting cant be enabled on a Windows server

2008
The opposite of feature deprecation: Usually something they want to drop becomes disabled by
default to preserve for next release, so the opposite is; sometimes new features are added (but have
to be switched on by default) and then the product group make it default enabled in next release

Change in security posture: So the default was to lock everything down as before it was all about
reducing the attack surface area (so you live under a rock in a cave and cant do anything) but then
because of improvements in securing the underlying OS / better understanding that there was no
real problem, then things can become enabled by default

Feature Adoption: There was a big drive in Windows Server 2012 to make sure features were
readily available/enabled and decouple them from any dependencies, like other OS
interoperability/convoluted pre-requested, as customers would then be less likely to adopt
features and mistakes in implementation

Also Read: Windows 10 compatibility with Windows Server 2003

Conclusion:

Indeed if youre opening up ports or enabling services then there could be a valid reason for why
thats not acceptable in some environments, someone with administrative access can remotely own
your box, Id be much more concerned that in the first place someone already has
administrative/privileged credentials and there are many more ways to hose up a box over the wire
than worry about just one more way to connect.

Enable Powershell Remoting on Windows

server 2008 R2 and 2012
By ganesamoorthy s | July 29, 2015

0 Comment

Powershell Remoting is very impressive feature from Windows server 2008 R2 / Powershell 2.0, it
allows to run any PowerShell commands or access full PowerShell sessions on remote Server unlike
the older native commands that run on the same server where the command been executed , so its
powerful and easy to run a function from multiple system with less amount of time
What changes from native command execution?

PowerShell command is executed on the client

Same PowerShell command is transmitted to the server
Server executes the PowerShell command and then returns the output to the client
Client displays or uses the returned output

How to Enable Powershell Remoting on Windows server 2008, Windows 7 and other systems

By default Powershell Remoting is disabled on Windows server 2008 R2 and need to enable by
running an enable-psremoting command on individual servers, we have others option to Enable
Powershell Remoting on multiple servers remotely, methods are

Enable Powershell Remoting with PSEXEC (Remotely)

We can open psexec from CMD and connect each server and run enable-psremoting -force or run
below command with different server name

psexec \\[Server name] -u [User name] -p [password] -h -d powershell.exe enable-psremoting

-force

Please replace \\[Server name] with an IP address, or even @C:\[path]\serverlist.txt to

automatically enable psRemoting on a big list of computers on your environment

Enable Powershell Remoting with schedule task

We have to create the batch file or ps1 file with enable-psremoting force command and created a
schedule task using the schtasks command pointing to created patch file or ps1 file

Scheduled a task to run the script (batch file or ps1 file) and enable the Powershell Remoting

Enable Powershell Remoting with Server Manager

Open Server Manager

On Server Manager home page, click Configure Server Manager Remote Management.
Next,
Select Enable Remote Management of This Server from Other Computers.
Ok

Enable Powershell Remoting via Group Policy

Create a new GPO, or edit an existing GPO
Browse to: Policies > Administrative Templates > Windows Components > Windows Remote
Management (WinRM) > WinRM Service
Open the Allow Automatic Configuration of Listeners Policy, select Enabled, and then define
the IPv4 filter and IPv6 filter as *(Server 2008 and earlier).
Open the Allow Remote Server management through WinRM Policy, select Enabled, and
then define the IPv4 filter and IPv6 filter as *(Server 2008 R2 and later).
Click OK.

For Firewall Rules

Browse to: Computer Configuration> Policies> Windows Settings> Security Settings>

Windows Firewall with Advanced Security> Windows Firewall with Advanced Security> and
then Inbound Rules.
Right-click Inbound Rules, and then click New Rule.
In the New Inbound Rule Wizard, on the Rule Type page, select Predefined.
On the Predefined pull-down menu, select Remote Event Log Management. Click Next.
On the Predefined Rules page, click Next to accept the new rules.
On the Action page, select Allow the Connection, and then click Finish. Allow the Connection
is the default selection.
Repeat above steps to create inbound rules for the Remote Service Management
and Windows Firewall Remote Management

If you are using Windows server 2012 then no need to do any of above configuration to
enable powershell remoting, Yes its enabled by default, start using the feature without any extra
effort

Monitor NTLM authentication delays and

issues on Windows 2008 and 2012
By ganesamoorthy s | July 26, 2015

0 Comment

Events to track authentication delays and issues: Finally we have new event log entries that can
track NTLM authentication delays and issues in Windows Server 2008 R2, in a complex environment
with multiple Forests and multiple Domains NTLM authentication request will be more and its difficult
to monitor and track the Bottlenecks
Also Read: AD Slow Authentication and prompting for credentials again and again
intermittently and experience time-outs when you connect to Authenticated Services

Install http://support.microsoft.com/kb/2654097 to enable event log entries that track NTLM

authentication delays and failures

After installing the above hotfix, EventLogPeriodicity and WarningEventThreshold registry entries
needs to be configured as per your requirement

Event ID: 5816 to Event ID: 5819 has been logged for if any error or warning condition is met

Some of the issues in application end for NTLM authentication delays

Web Services and Web Proxy:

Web clients are frequently prompted for credentials

Web clients receive delayed responses from the web server.

Exchange client:

Outlook receives delayed responses from the server.

Outlook is frequently prompted for credentials

Some of known issues for high authentication flow and authentication delays

Bottleneck:

Also Read: Troubleshoot Active Directory Server Replication

Solution:
For applications and services that are using NTLM, just configure them to use Kerberos
authentication only.

Default Maxconcurrentapi Value:

Workstations One of the threads available for use

Member servers Two of the threads available for use

Domain controllers One available thread per security channel to trusted domains

Configure MaxConcurrentApi :

Also See: Active Directory real time issues and solutions

Shortcut Keys for Windows server 2012 and

2012 R2
By ganesamoorthy s | June 5, 2015

0 Comment

If you new to Windows server 2012 and 2012 R2 you might find difficulty to run some of the essential
tasks like, Run, CMD, and even to shut down and logoff the server, how do we do a basic server
administration work on Windows server 2012? Even administrative tool are removed, unable to see
run, CMD and start menu in Windows server 2012, ohh no then how to get the administrative
tool? they are all missing and we have a way to find this

Windows server 2012 comes with a new GUI which hides the most essential buttons and tools like
Start menu, Run, Command prompt, shutdown, Restart, logoff and many more, just want
share Shortcut Keys for Windows server 2012 to make life easier

Start screen Windows Key

Charms bar Windows Key + C

Run Windows Key + R

CMD Windows Key + R CMD

Command Prompt with Admin access Windows Key + X + A

Start Menu Windows Key + X

Shutdown- Ctl+Alt+Del, select Power button in the lower right corner

Logoff/lock/Task Manager Ctl+Alt+Del

Control Panel Windows Key + X + P

Task Manager Windows Key + X + T

Computer Management Windows Key + X + G

Divice Manager Windows Key + X + M

Event Viewer Windows Key + X + V

Disk Management Windows Key + X + K

Windows Explorer Windows Key + X + E

Search Windows Key + X + S

System Windows Key + X + Y

Programs and Features Windows Key + X + F

Powershell Windows Key Powershell

Administrative Tools

Administrative tool replaced with Server Manager, Microsoft has been strongly pushing to use the
Server Manager and its now full-featured, All this tools are available on Server Managers Tools
menu
Windows server 2012 co-existence and
migrate/upgrade scenarios
By ganesamoorthy s | May 17, 2015

1 Comment

Is windows server 2012 R2 can co-existence with windows server 2003? Can I do in-place upgrade
from windows server 2003 or windows server 2008? Which is supported and which is not supported

Do you want to know the answer for all these questions then you are on right page, will discuss more
about supported upgrade scenarios

Not supported

In-place upgrade from windows Server 2003 and from 32-bit system and from Server Core Edition
are not supported

Windows 2000 Domain Controllers are not supported

Windows NT Domain Controllers are not supported

Supported

Add a new Windows Sevrer 2012 DC in a Windows Server 2003 Forest/Domain

Add a new Windows Server 2012 DC in a Windows Server 2008/2008 R2 Forest/Domain

Supported Upgrade Scenarios

Windows Server 2008 Standard Sp2 or Windows Server 2008 enterprise Sp2 can be upgrade to
Windows Server 2012 Standard or Windows Server 2012 Datacentre

Windows Server 2008 Datacentre SP2 can be upgrade to Windows Server 2012 Datacentre

Windows Web Server 2008 can be upgrade to Windows Server 2012 Standard

Prerequisites
Domain Functional Level should be at least Windows 2003 mode. This is the minimum required
Domain Functional Level that would allow Windows Server 2012 Domain Controller installation.

Windows NT / 2000 DCs are not supported

Need to raise a Domain Functional Level to Windows 2003 mode, for that older DCs like Windows
NT and Windows 2000 needs to be removed / decommissioned.

Supported and Not Supported Trust

Anyway Forest Trust not supported on Windows NT / 2000 DCs, an external trusts can be configure
to connect to Windows 2000 Server and Windows NT 4 domains

Note: From Windows Server 2008 onwards legacy cryptography algorithms not supported for
secure channel communications, hence external trusts cant be established Windows NT 4.0 with a
Windows Server 2008, or higher, domain controller, this can be rectified through simple registry
change however not recommended

Hope this will help you to understand the requirement and prerequisites to Install Windows Server
2012 to your existing environment, what can be possible and what cant be possible with your current
Domain configuration

Difference between windows server 2012

and R2
By ganesamoorthy s | April 30, 2015

0 Comment

Windows server 2012 R2 brings many new features and enhancements to windows server world
compared to older version windows server 2012, will discuss major difference between windows
server 2012 and windows server 2012 R2 and some of the very innovative Windows Server 2012 R2
Features and improvements, also see Windows Server 2012 Fetures and Difference between
windows server 2008 and windows server 2012

Windows Server 2012 Schema version is 56 and Windows Server 2012 R2 is 69, schema will be
updated while doing Forest preparation/installing Windows Server 2012 R2
Active Directory comes first when I think about windows server, will start with Active Directory new
features on Windows Server 2012 R2

Active Directory has been enhanced with the following

Join the Workplace (Workplace Join)

SSO Support (Single Sign-On)

Connect from Anywhere with Web Application Proxy

Multi-Factor Access Control (Anywhere-and-on-Any-Device)

Workplace Join

Workplace Join is allows user to connect/join their personal devices with their companys workplace
network and computers to access resources and services, yes now we can connect our personal
device like mobile phone/tablets and other device(Windows 8.1, iOS 6.0 +, and Android 4.0 +
devices can be joined by using Workplace Join)

Its not like a Domain Joining, when a device is joined to your workplace, it becomes a known device
and provides seamless second factor authentication through Single Sign On to access the workplace
resources and applications.

Workplace Join through the Device Registration Service, Device Registration Service (DRS) is part
of the Active Directory Federation, creates a device object in Active Directory, and tracks the
associated devices certificate in order to represent the devices identity.

SSO Support (Single Sign-On)

Effectively using Single Sign-On (SSO), user no needs to provide their user name and password
while accessing the different application event the outside the office network, again this uses the
Device Registration Service and Active Directory Federation roles allows claims-based
authentication to occur based on trusted certificates

Web Application Proxy

Remote Access role service is replaced by web application proxy in Windows Server 2012 R2, this
will provide access to a sample web application by using claims-based authentication using Active
Directory Federation authentication
Company application can be accessed anywhere with the help of Web Application Proxy in a
secured way

Multi-Factor Authentication

Multi-Factor Authentication is nothing but the authenticating user and the device used by the user,
user and user personal device joined through Workplace Join are authenticated

New DNS Features on windows server 2012 R2

DNS Logging and Diagnostics

Unlike the older windows versions, enabling DNS logging will not degrading the server performance
through enhanced DNS logging and diagnostics feature, this will provides extremely detailed data
about all DNS related information that is sent & received by the DNS server, similar to the data that
can be gathered using network packet capture tools such as Netmon, this included the DNS Audit
events and DNS Analytic events very helpful for troubleshooting

New Group Policy Features in Windows Server 2012 R2

Policy Caching

Policy Caching is newly introduced In Windows Server 2012 R2, when Group Policy gets updated,
client gets the latest version of a policy from the domain controller, and writes the policy to a local
store. Next time the computer restarted, it reads the most recently version of the policy from the local
store, instead of downloading it from the domain controller. This reduces the time it takes to update
the policy. Most important the boot time is reduced in synchronous mode

New DHCP Features in Windows Server 2012 R2

DNS PTR registration options

Now you can configure the DHCP scope to r register only address (A) resource records of DHCP
clients with the DNS server. This can be helpful when a reverse lookup zone has not been
configured on your DNS server and that causing attempts to register pointer (PTR) resource records
to fail.

And most important, PowerShell commands will be available for DHCP servers
Also Windows PowerShell for Certificate Services and Many new Features in Remote Desktop
Services in Windows Server 2012 R2

Other than the Active Directory Features on windows server 2012 R2

Work Folders

You can store and access work files on your personal computers and personal device, similar to
Dropbox, this role only available on Windows Server 2012 R2, its like an offline file with your
personal device and it get replicated to company network, Access your office files while offline from
personal device, and then sync with the central file server when the PC or device next has Internet or
intranet connectivity, see Microsoft page

Windows PowerShell Desired State Configuration

Its cool new features from Windows Server 2012 R2, to replace the Group policy (GPO)

Yes, its similar to Group policy, enables deploying and managing configuration data like registry
settings, Enabling or disabling server roles and features, Managing files and directories, Starting,
stopping, and managing processes and services, Managing groups and user accounts, Deploying
new software, Managing environment variables, Running Windows PowerShell scripts and
Discovering the actual configuration state, see Microsoft page

Storage Tiering

If you are a storage admin then you know Storage Tiering, yes its been there for long time and now
this feature available on Windows Server 2012 R2 operating system, this is the first time available at
the operating system level. Microsoft uses a heat-map algorithm to determine which chunks of data
are seeing the most activity and automatically moves the hottest data to the fastest disk. You can
adjust the settings using PowerShell.

RRAS Multitenant Gateway

Now you can deploy RRAS as a virtual machine (VM)-based software gateway and router that allows
Cloud Service Providers (CSPs) and Enterprises to enable datacentre and cloud network traffic
routing between virtual and physical networks

Each site-to-site network connection require a separate gateway in Windows Server 2012, this is
impacting both cost and ease of implementation when more than a few connections are required for
a single application. Windows Server 2012 R2 does away with this limitation, this can reduce their
capital expenditure and operation expenditure

Windows Server Essentials role

Windows Server 2012 R2 Essentials vision is bundled all the required features for small businesses
with up to 25 users and 50 devices, when you install the Windows Server Essentials Experience role
on other Windows server version, you can take advantage of all the features that are available to you
in Windows Server 2012 R2 Essentials without the locks and limits enforced in it.

And many more new features like, De-duplication on running VMs, Parallel rebuild and shared virtual
hard disk in Hyper-V for Windows Server 2012 R2, also see Windows Server 2012 Fetures

Active Directory Features in Windows Server

2012
By mail2spi2014 | March 3, 2013

2 Comments

Active Directory 2012 features on Windows Server 2012 and R2: I am going to discuss about
Windows Server 2012 Active Directory feature, as per my understanding newer version has not have
many new features however Microsoft has improved the features of Active Directory 2008 in Active
Directory 2012 List of improvement compare to the earlier version Active Directory 2008, also
check Difference between windows server 2012 and R2

Active Directory 2012 features

Virtualization

Virtualization and cloud computing is the emerging technology in an IT infrastructure over the past
few year, I personally never thought of having virtual Active directory environment, if you are
restoring AD database from snapshot image it wont reset the Invocation ID it will lead to database
version mismatch with other Domain controllers and stop replicationSupport virtual snapshot, Active
Directory 2012 Virtualization feature correctly resets the Invocation ID if snapshot is applied or a VM
copied using the VM generation ID

Support virtual clone, we can clone existing virtual domain controllers without any issue and this will
reduces the number of steps and time involved by eliminating repetitive deployment tasks

Simplifies Active Directory Upgrades and Deployments

Dcpromo not available in Active Directory 2012! Yes Active Directory Domain Services Installation
Wizard is relocated in Server Manager is replaced the Dcpromo command

Forest preparation and domain preparation happens automatically (Forestprep and ADprep) while
doing Server 2012 DC installation, still if you wish you can do manually using commands Adprep,
/forestprep, /domainprep and /rodcprep

Seems to be a simple and easy procedure, of course you will require a good planning and in-depth
understanding about the procedure while doing domain upgrade

Dynamic Access Control

Native access control require a user or a group needs to be add to file/folder NTFS permission to get
an access, in windows 2012 claims-based authorization is its not replaced the existing model
however if added new features to an existing system

If the user department is accounts in Active directory, user able to access the accounts related datas
from file servers using Dynamic Access Control feature

Customised audit policies

You can fine-tune the audit policies as per your requirement, not only monitor the file access success
or failure but also what actions were carried out or attempted on the file, like read, write, delete,
change file permissions and so on. You can narrow down the scope of the file auditing to specific
users or groups of users, using configure the Global Object Access Auditing policy within a GPO

Event logs

If you enable auditing for multiple items and configuring the customised audit policies, then security
logs will grow faster, by default the log will overwrite old events when it runs out of space, most
organisations uses the third party application to backup the event logs and store it to centralized
repository, in windows 2012 you can select the option Archive the log when full, do not overwrite
events so you can examine the old logs and of course you require a enough disk space to store the
logs

Offline Domain Join

Offline Domain Join is improved in Windows Server 2012 AD DS, over the internet we can join the
computer to domain if the domain is DirectAccess enabled

Active Directory Federation Services (AD FS)

Adding ADFS no longer requires a separate installation. ADFS also gains multiple improvements.

Windows PowerShell

Windows PowerShell History Viewer: You will have a ready made command for what action you
did in Active Directory Administrative Centre, like if you create a user or add user to group you have
command to do the same, this can minimize the learning investment and you can automate the
activity very easily

Windows PowerShell Cmdlets for Active Directory Replication and Topology: Am expecting
this for a long time, yes we have a PowerShell commands for repadmin, ntdsutil and Active Directory
Sites and Services, troubleshoot replication and Create and manage sites, site-links, site-link
bridges, subnets and connections using new available Cmdlets

Active Directory Recycle Bin

We can recover deleted object with in graphical user interface through Active Directory
Administrative Centr (ADAC), this will reduce the recovery time and simplified the complex procedure

Kerberos Constrained Delegation across Domains (KCD)

KCD was first introduced in Windows Server 2003 to permits a services account (front-end) to act on
behalf of users in the applications to access back-end services, like web server (front-end) access
the database server (back-end) by the user, this only works for back-end services in the same
domain as the front-end service-accounts.
The KCD in Windows Server 2012 Supports across-domain, across-forest scenarios, its very
demanding feature and reduce the pass through authentication load (if you have multi domain and
multi forest this will be your future)

Flexible Authentication Secure Tunneling (FAST)

More secure Kerberos in Windows Server 2012 through Flexible Authentication Secure tunneling, it
provides a protected channel between a domain-joined client and DC

Active Directory-Based Activation (ADBA)

This will eliminates the need for Key Management Service (KMS) servers, No additional machines
required and No RPC requirement Active Directory-based activation uses LDAP exclusively

AD FS (v2.1) ships in-the-box as a server role in Windows Server 2012 and is able to populate
SAML tokens with user- and device-claims taken directly from the Kerberos ticket

And RID improvements, index creation improvements and many more..

More on Active Directory 2012 features, see Micrsoft page page

ACTIVE DIRECTORY TOOLS

DNS Lookup Tool with GUI

By mail2spi2014 | June 16, 2011

0 Comment

Free Nslookup Tool for Windows with GUI interface

Its a normal Windows Nslookup tool, command line windows Nslookup tool been converted to user
friendly GUI tool, this tool used to check the DNS entry and it has many customized features
Features of DNS Lookup Tool

You can check the different record types (A, MX, NS, SOA, PTR, and SRV)

You can enable the Debugging mode for better DNS troubleshooting

You can change the DNS Query Type (Recurse, Iterative (non-recursive))

Also you can able to specify the server from where you want to query the DNS entry (By default its
a primary DNS server from the network card configuration)

Easy to use and user friendly, no installation required you can directly run the tool.

DNS Lookup Tool

Nslookup tool query the A record

Nslookup tool query the MX record
Output of Nslookup tool query with Debugging mode Enabled

Download Nslookup Tool

For more info on NSLOOKUP and DNS troubleshooting

String to GUID Converter

By mail2spi2014 | May 30, 2011

0 Comment

Using Online String to GUID Converter Tool, you can convert a string formatted GUID to
hexadecimal string format and vice versa (hexadecimal formatted GUID to string format)

If you extract the Active Directory object GUID from Domain Controller using ADSIEDIT you will get
the hexadecimal formatted GUID and you have to convert this Hex format GUID to Normal usable
string format because most of the windows commands and scripts require a string format GUID.
No need to download and install, its a online tool and can be used directly on our website, just click
here Online String to GUID converter Tool

Online Subnet Calculator

By mail2spi2014 | May 5, 2011

0 Comment

Its a simple online IP Subnet Calculator, using this Subnet Calc you can calculate, Mask Bits, Start
IP, End IP, Address Range, Subnet ID, Broadcast Address.

And this can be used to find the Subnet Mask for the given Mask Bit or find the Mask Bit for the given
Subnet Mask.

No need to download and install, its a online tool and can be used directly on our website, just Click
Here

Incoming search terms: subnet a subnet, subnet masks, subnet masking, subnet netmask, subnet
255, subnet and subnet mask , calculadora subnetting, subnet calculate, subnett calculator, subnet
calcu, subnet calculation, subnets calculator, subnet calculators, subnet calculator, calculator subnet,
calc ip, ip subnets, ip subnet, ip to subnet, ip and subnet, ip calculator, calculator ip, netmask,
subnetting a subnet, subnet address, ip calc, ip subnet calculater, ipcalc,ip subnet calculation, ip
subnet calculator, ip calculator subnet, subnet ip calculator

Online Windows Timestamp Converter

By mail2spi2014 | May 5, 2011

0 Comment

Online Tool to Convert Windows Timestamp to readable format

If you extract the Lastlogon and Lastlogontimestamp attribute value from CSVDE tool or ADSIEDIT,
attribute value would not be readable format and you cant understand the format, you can use this
Online Tool to convert Timestamp to readable format
No need to download and install, its a online tool and can be used directly on our website, just click
here

Our Previous Article Related to lastlogon

In Excel itself you can Convert lastlogon and lastlogontimestamp

How to extract lastlogontime in CSVDE

DNS Management Tool

By mail2spi2014 | April 13, 2011

0 Comment

Using DNS Management tool you can check, create and delete DNS entry in Windows DNS server, it
seems to be simple however in a large environment its not that simple, lets say if you have multiple
zones and every zone have huge DNS entrys then its very difficult to check, create and delete the
DNS entry

When you open the DNS console all the zones in that server will get loaded and you have to select
the zone than all the entrys in that zone will get loaded, it will be time consuming process then you
have to filtered out to delete the corresponding entry

While creating the DNS entry you have to manually type the IP address, you cant copy and
paste, this may lead to typo error and you will created the DNS entry with wrong IP address, by
using this tool you can avoid this and increase your productivity
And this can be done in a second, you can also check if the DNS entries are available before
deletion or creation the DNS entry

If you have multiple requests and you have to do this one by one, then this tool perfectly match your
requirement

Follow the below procedure to Manage DNS record in Windows DNS server

1. Enter Record Name

2. Record name should be FQDN(fully qualified name) like Server001.eur.windowstricks.in
3. Enter IP Address
4. If require you can copy and past the host name and IP address
5. If you want to create DNS record then Click Create button
6. This will create the DNS entry to the corresponding zone in the DNS server
7. You will get the result, if any issue to creating the record, then you will get the error message
8. If you want to check DNS record then Click check button
9. You can also Delete the DNS entry by clicking the Delete button

Check the Existing DNS Record:

Deleting the Existing DNS Record:

Checking the DNS Record:

Creating the DNS Record:

Requirement

This tool should be run from the DNS servers where you want to manage the DNS entries

And you should have DNSCMD tool installed and DNS admin rights.

Download

For bulk DNS record creation and deletion

DNS Record Creation Tool

By mail2spi2014 | February 3, 2011

1 Comment

Free Tool to create DNS entry

Using this tool you can create DNS entry, no need to open a DNS management console you can just
open the DNS Record Creation Tool and copy past the DNS record name and IP address and select
the create button this will create both forward and reverse entries

Creating DNS entry seems like simple and why we require a tool to do this? To create a single DNS
entry you have to open a DNS management console and go to the Forward Lookup Zones, select
the zone from where you want to create the DNS record, then right click the zone and select add
new host, When you open the DNS console all the zones in that server will get loaded and you have
to select the zone than all the entrys in that zone will get loaded, it will be time consuming process
While creating the DNS entry you have to manually type the IP address, you cant copy and
paste, this may lead to typo error and you will created the DNS entry with wrong IP address, by
using this tool you can avoid this and increase your productivity

Download

Requirement

This tool should be run from the DNS servers where you want to manage the DNS entries
And you should have the DNS admin rights

Other Free Tools

Tool to Find subnet conflict

Tool to Search AD Object using the Attribute value

Get IP Info

Our products List

Search AD Object using the Attribute value

By mail2spi2014 | December 30, 2010

0 Comment

Active Directory tool to search the Active Directory using attribute value, you can use this tool to find
the attribute value for the given object and attribute
This tool is very useful to search a particular attribute value for any object in Active Directory, input
for this tool is any known attribute and the attribute value ( in above example I have used CN attribute
and corresponding value) and you can get the output of any require attribute.

Beauty of this product is you can use the Wild cards, like list all the users that stars with DE
( CN=DE* is the input)

Also you can use this tool to search the Configuration partition, search the site, site link and subnet,
in above example we are getting the site name of the server using the server name

You can use this simple tool for your requirement, this tool will do customized search on Active
Directory, I have used this tool to search the site link for the site, search the connection object for the
server, search the site for the server

From Domain Partition, some time you know the attribute name and the value and you want to list all
object that have the same value for the attribute that scenario you can use this Search AD Object
using the Attribute value tool.

And also use this tool to find the duplicate entries in Active Directory, if many object attribute have
the same value and this should be unique, like this you can use this tool in your own requirement.

Download
Other Free Tools
Tool to Find subnet conflict

Get IP Info

Our products List

Get IP Info
By mail2spi2014 | December 7, 2010

0 Comment

Active Directory tool to find site name, subnet and other information for given IP addresses

If you are troubleshooting the system issues, like logon issue and DFS issue you have to check the
system IP address and from which site this IP address belong to and from which subnet this IP
belongs to, if that site have a Domain controller and if this subnet have DNS ReversZone and DNS
Revers entry
In a large Active Directory environment its very difficult to check this manually, if the subnet
associate to the IP not configured, then client will have a logon problems, if the DNS ReversZone
missing then Dynamic registration will have a issue so better we have to check all this before
troubleshoot the issue, this tool will also very useful to understand the issue

This tool will provide the Site Name, subnet, Number of Address, DCs in this Site, DNS ReversZone
Name, DNS ReversZone, and PTR Record pointing to

Other Free Tools

Tool to Find subnet conflict

Tool to Search AD Object using the Attribute value

Our products List

Free tool to Find subnet conflict in Active

directory
By mail2spi2014 | November 4, 2009

0 Comment

Free tool to Find subnet conflict in Active directory

If you ever think that you require a tool to find the subnet in Active Directory and find the subnet
conflict also, here is the tool and its Free!

Before add the subnet in to AD it needs to be checked for subnet conflict to make the environment
clean and also reduce the login errors (due to subnet conflict)
Other Free Tools
Search AD Object using the Attribute value

Get IP Info

Our products List

Active Directory real time issues and solutions
As an Windows AD Administrator I have many Active Directory real time issues and solutions, we
have seen the questions like, Tel me about 2 real time issues which you have faced in your current
Active Directory environment, share one or two challenging issues which you have worked and
resolved, Tel me most challenging issues you recently involved

Active Directory real time issues and solutions

DNS Entry of Domain Controller is Resolving to Incorrect value

Replsummary showing unknown for largest delta on AD replication checks

Domain Controller failed test Machineaccount on DCDIAG

AD Slow Authentication and prompting for credentials again and again

How secure channel determine the Domain controller in cross-forest

Active directory Troubleshooting

Active Directory Replication failed with Target principal name is incorrect

Replication failed with The destination server is currently rejecting replication requests Error

Troubleshoot Active Directory Server Replication

Group Policy (GPO) real time issues and solutions

Issue managing IE configuration through GPO

Why we cant edit/view windows 2008, Vista and windows 7 GPO settings from windows 2003

Gpresult failed with ERROR Access Denied

Home page URL not working for IE7

GPO update failed in Slow Link VPN site with Event ID 1000 and 1054

Group Policy Processing over Slow Links

Group Policy slow link detection on windows server 2008

Other real time issues and solutions, Printer, User Profile and Account lockout

Account lockout

How to resolve the Print Spooler service crash issue (Print spooler service is not running)

How to find the domain controller that contains the lingering object

Reconfigure roaming profile folder and home folder permission for all the users

Roaming profile issues

Windows DNS Scavenging Interview

Questions and Answers
What is DNS Scavenging?

DNS Scavenging is to cleanup and removal of stale DNS records, like housekeeping activity to
delete unwanted or unused DNS entries in DNS server/zone, it only cleanup the dynamic DNS
record not the record created manually

What is Dynamic DNS record?

The record created dynamically by client/server on DNS zone, automatically added to zones when
computers start on the network

Also Read: Windows Server Administrator Interview Questions and Answers

How to force the DNS Dynamic Update?

Simple way is restart the system which trigger the DNS Dynamic Update, we can user the below
command to force DNS Dynamic Update

Ipconfig /registerdns

You can also restart the netlogon service on service.msc

If DNS Dynamic updates not working what are the checks needs to do?

Check the primary DNS configuration on the system, Primary DNS server should be reachable from
client in order to register DNS record

Register this connections addresses in DNS should be selected on network card properties (advance
options where you configure the IP Address)

Also Check the DHCP configuration if the managed through DHCP

Also Read: Active Directory (AD) Real Time Interview Questions and Answers

What are Prerequisites to do the DNS scavenging?

Scavenging must be enabled on DNS server and on the zone you want to scavenging

DNS records must be dynamically added to zones or you can manually modified the timestamp
configuration

What is Scavenging Period?

Default value for Scavenging is seven days (the minimum allowed value for this is one hour)

scavenging time on DNS zone is the server to determine when a zone becomes available for
scavenging

So 7 + 7, every 14 days

Also Read: Windows Group Policy Interview Questions and Answers

When the Record refreshes happen? (Dynamic updates of record)

Every DNS record time stamp been updated While the time of computer restart
A periodic refresh is sent by the computer every 24 hours

Network services make refresh attempts, like DHCP servers, which renew client address, cluster
servers, which register and update records for a cluster, and the Net Logon service, which can
register and update resource records that are used by AD domain controllers

So that the record not taken as a stale DNS record

What is Scavenging servers?

Is DNS Scavenging configured in all Domain Controllers?

Not all DNS servers are Scavenging servers, you can configure/promote DNS server to Scavenging
servers

Zone parameter on advanced settings that enables you to specify a restricted list of IP addresses for
DNS servers that are enabled to perform scavenging

AD Slow Authentication and prompting for

credentials again and again
By mail2spi2014 | December 20, 2013

0 Comment

AD Slow Authentication and prompting for credentials again and again (Active directory
Troubleshooting Part 2)

Also See: Active Directory real time issues and solutions

Pass through authentication

Secure Channel

For Domain controller, Netlogon service sets up secure channels with all the trusted domains (one
Domain controller in each trusted domains) you can check this using Nltest command

To check the current secure channel with a particular Domain

nltest /sc_query:Domain Name

To reset secure channel to different Domain Controller (this will randomly select the Domain
Controller)

nltest /SC_RESET: Domain Name

To reset secure channel to a particular Domain Controller

nltest /SC_RESET: Domain Name Domain Controller Name

You can change the Domain and Domain Controller Name as per your requirement

For remote server you can add

/server: server name

NTLM and Kerberos

Client opens a URL through browser

Think the similar scenario in multi Domain/Forest environment, user in one Forest and proxy server
in other Forest, this will increase the NTLM Pass through authentication traffic

NTLM authentication handled by Netlogon service, passing NTLM authentication requests to a

We can resolve this by increasing the MaxConcurrentApi value on proxy server, if its a multi
Domain/Forest environment, then we needs to increase the MaxConcurrentApi value on resource
forest Domain Controller, it depends on the configuration

First we have to understand current issue

To calculate MaxConcurrentApi for your environment

http://support.microsoft.com/kb/2688798

It depends on the outcome, you should add more servers to service the legacy authentication load or
increase the MaxConcurrentApi registry value

Warning rules:

Average Semaphore Hold Time > 0.2 should be a yellow warning.

Average Semaphore Hold Time > 0 should be a red warning.

Semaphore waiters > 1 should be a yellow warning.

Semaphore waiters > 4 should be a red warning.

Any Semaphore Timeouts is a red warning.

Conclusion:

Slow Authentication might be due to many issues, like client to DC connectivity, network, subnet and
site configuration, DNS SRV configuration, Profile, logon script and GPO, so you have to analysis
properly to find the root cause, this is the one of the scenarios which I have faced many times in a
complex environment, hope this will help you to understand the Active Directory Authentication and
troubleshooting procedures see you soon in an another article.

Active directory Troubleshooting (Part1 Diagnostics Logging)

Troubleshoot Active Directory Server Replication

How secure channel determine the Domain
controller in cross-forest
By ganesamoorthy s | April 2, 2015

0 Comment

How client computer/member server find the logon Domain Controller from Cress Fores in an Active
Directory envirnment or How secure channel determine the Domain controller in cross-forest

Site synchronization

To locate the closest Domain Controller from the trusted domain, Domain should have knowledge of
the trusted domains site and site-link, you have to define the subnet of the DC in trusted Domain site

its like add the same subnet on both the Forest with corresponding site to match the user
authentication

Below command has been used to find the current authenticated DC from a Domain

Nltest /dsgetdc:Domain Name

Below command has been used to find the current secure channel Domain controller from
a Domain

Nltest /SC_QUERY:<DomainName>

Below command has been used to reset the secure channel to select different Domain
controller from corresponding Domain/Forest
Nltest /SC_RESET:<DomainName>

This will select the Domain Controller as per the design

If you want to reset the secure channel to select specific Domain controller
from corresponding Domain/Forest

Nltest /SC_RESET:<DomainName> \<DcName>

Seems to be simple and this is how secure channel determine the Domain Controller in Cross Forest

Windows 10 support knowledge base

articles
Collection of Windows 10 knowledge base articles

Windows 10 KB articles and Real Time problems with solution

How to Fix High RAM/CPU issue on Windows 10

How to change windows 10 icons (My Computer, Recycle Bin and windows explorer icon)

Troubleshooting Tips for Windows 10 Slowness Problems

Start Menu not function properly on Windows 10

Best Free Antivirus for Windows 10

Windows profile issues and fix

How to copy a full user profile to another user in Windows 10 After profile corrupt

How to Uninstall Windows 10

Windows 10 Keyboard Shortcuts Tricks and Tips

Windows 10 compatibility with Windows Server 2003

Convert Windows 10 Mobile Phone to Desktop Computer (PC)

Windows 10 Permission issue with Domain Admin

Microsoft Remote Desktop connection issue with Windows 10

Windows 10 sleep mode not working and unable to waking up from sleep mode

How to Get F8 Boot Menu and Safe Mode on Windows 10

Windows 10 cant connect to Internet and showing limited connectivity

Windows 10 Homegroup Problems and Solution

How to Get the Password and Setup Homegroup in Windows 10

How to Change Windows 10 Date and Time Format from 24 Hour to 12 Hour Clock

Domain Account unable to log-in with cached credentials on Windows 10

Are you searching where is my computer on windows 10 desktop

Can we fix all Windows 10 problems? Re-install Windows 10 without affecting current settings

Active Directory Interview Questions and Answers

Interview Questions Home

Step by Step Gateway Server Installation - SCOM 2016
100% (1)
Step by Step Gateway Server Installation - SCOM 2016
49 pages
23 - Renew Certificate of ADFS and WAP Server.
No ratings yet
23 - Renew Certificate of ADFS and WAP Server.
3 pages
Introduction To Forex - Forex Made Easy PDF
100% (2)
Introduction To Forex - Forex Made Easy PDF
33 pages
How To Configure Rodc
No ratings yet
How To Configure Rodc
27 pages
AD FS Deployment
No ratings yet
AD FS Deployment
9 pages
Active Directory Design Guide
0% (1)
Active Directory Design Guide
117 pages
Step by Step Guide To Migrate Exchange 2013 To 2019
No ratings yet
Step by Step Guide To Migrate Exchange 2013 To 2019
7 pages
SCCM Client Errors
No ratings yet
SCCM Client Errors
3 pages
Active Directory Disaster Recovery: Whitepaper Resource
No ratings yet
Active Directory Disaster Recovery: Whitepaper Resource
11 pages
Glossary: Access Control List (ACL) Advanced Configuration and Power Interface (ACPI)
No ratings yet
Glossary: Access Control List (ACL) Advanced Configuration and Power Interface (ACPI)
45 pages
Complete SCCM Installation Guide and Configuration
100% (1)
Complete SCCM Installation Guide and Configuration
239 pages
Top 65 Windows Server Interview Questions
No ratings yet
Top 65 Windows Server Interview Questions
11 pages
AD Operations
No ratings yet
AD Operations
518 pages
Active Directory: FMSO Roles
No ratings yet
Active Directory: FMSO Roles
12 pages
Windows Server 2012 Failover Clustering Student Lab Manual
No ratings yet
Windows Server 2012 Failover Clustering Student Lab Manual
147 pages
SCCM Update Guide
No ratings yet
SCCM Update Guide
28 pages
Lab Instructions and Answer Key: Configuring and Troubleshooting A Windows Server® 2008 Network Infrastructure
No ratings yet
Lab Instructions and Answer Key: Configuring and Troubleshooting A Windows Server® 2008 Network Infrastructure
297 pages
Exchange Server 2016 Quick Start Guide v1.0
No ratings yet
Exchange Server 2016 Quick Start Guide v1.0
153 pages
What Is Global Catalog Server? Global Catalog Server Is
100% (1)
What Is Global Catalog Server? Global Catalog Server Is
7 pages
SysAdmin Ebook Final Feb2010
100% (2)
SysAdmin Ebook Final Feb2010
525 pages
39 Top MICROSOFT Windows Server Administrator Interview Questions and Answers by A Real Interviewer
100% (1)
39 Top MICROSOFT Windows Server Administrator Interview Questions and Answers by A Real Interviewer
8 pages
Step by Step Guide Installing SCCM 2007
No ratings yet
Step by Step Guide Installing SCCM 2007
164 pages
Step-By-Step Guide To Migrate From Active Directory 2012 R2 To Active Directory 2019 (Powershell Guide)
No ratings yet
Step-By-Step Guide To Migrate From Active Directory 2012 R2 To Active Directory 2019 (Powershell Guide)
9 pages
PowerShell Essentials For The Busy Admin
No ratings yet
PowerShell Essentials For The Busy Admin
16 pages
Microsoft 365 Mobility and Security
No ratings yet
Microsoft 365 Mobility and Security
2 pages
Installing, Upgrading, and Migrating Servers and Workloads
100% (1)
Installing, Upgrading, and Migrating Servers and Workloads
39 pages
Windows Group Policy Information
No ratings yet
Windows Group Policy Information
137 pages
Solving Active Directory Replication Failure
No ratings yet
Solving Active Directory Replication Failure
3 pages
LAPS OperationsGuide
No ratings yet
LAPS OperationsGuide
24 pages
Start Vcenter Install From .Iso File Using Windows 10
No ratings yet
Start Vcenter Install From .Iso File Using Windows 10
10 pages
Offline Assessment For Active Directory: Prerequisites
No ratings yet
Offline Assessment For Active Directory: Prerequisites
14 pages
Deploying and Managing Certificates
No ratings yet
Deploying and Managing Certificates
34 pages
Windows Admin L2
No ratings yet
Windows Admin L2
32 pages
Windows OS Deployment Docs
No ratings yet
Windows OS Deployment Docs
341 pages
Windows ADK
No ratings yet
Windows ADK
1,152 pages
Complete Guide To Vmware Clustering Ebook
No ratings yet
Complete Guide To Vmware Clustering Ebook
134 pages
How Active Directory Replication Topology Works
No ratings yet
How Active Directory Replication Topology Works
30 pages
Windows Admin Interview Questions
No ratings yet
Windows Admin Interview Questions
16 pages
Good Question /answer For Active Directory
No ratings yet
Good Question /answer For Active Directory
20 pages
Can You Change A Secondary Site To A Primary Site?
No ratings yet
Can You Change A Secondary Site To A Primary Site?
39 pages
MS100 PDF
No ratings yet
MS100 PDF
19 pages
Group Policy Presentation
100% (1)
Group Policy Presentation
31 pages
Step-By-Step: How To Install and Configure Domain Controller On Windows Server 2019
No ratings yet
Step-By-Step: How To Install and Configure Domain Controller On Windows Server 2019
10 pages
SCCM Interview
No ratings yet
SCCM Interview
62 pages
Troubleshooting PDF
No ratings yet
Troubleshooting PDF
991 pages
Troubleshooting Microsoft Exchange Server With PowerShell v1.00
100% (2)
Troubleshooting Microsoft Exchange Server With PowerShell v1.00
29 pages
Active Directory: FMSO Roles
No ratings yet
Active Directory: FMSO Roles
10 pages
Explain Three Main Features of Active Directory
No ratings yet
Explain Three Main Features of Active Directory
14 pages
Fsmo PDF
No ratings yet
Fsmo PDF
27 pages
Active Directory Rights Management Services A Clear and Concise Reference
From Everand
Active Directory Rights Management Services A Clear and Concise Reference
Gerardus Blokdyk
No ratings yet
NetBackup Complete Self-Assessment Guide
From Everand
NetBackup Complete Self-Assessment Guide
Gerardus Blokdyk
5/5 (1)
MCSA Windows Server 2016 Study Guide: Exam 70-741
From Everand
MCSA Windows Server 2016 Study Guide: Exam 70-741
William Panek
No ratings yet
Windows Failover Clustering Design Handbook
From Everand
Windows Failover Clustering Design Handbook
Stefanos Evangelou
No ratings yet
VMware Horizon View Essentials
From Everand
VMware Horizon View Essentials
Peter von Oven
No ratings yet
Enterprise Mobile Device Management Complete Self-Assessment Guide
From Everand
Enterprise Mobile Device Management Complete Self-Assessment Guide
Gerardus Blokdyk
No ratings yet
Oracle VM Manager 2.1.2
From Everand
Oracle VM Manager 2.1.2
Tarry Singh
No ratings yet
Cloud Computing with the Windows Azure Platform
From Everand
Cloud Computing with the Windows Azure Platform
Roger Jennings
3.5/5 (3)
Implementing NetScaler VPX™ - Second Edition
From Everand
Implementing NetScaler VPX™ - Second Edition
Sandbu Marius
No ratings yet
vCenter Troubleshooting
From Everand
vCenter Troubleshooting
Chuck Mills
No ratings yet
VMware For New Admins - Upgrade: VMware Admin Series, #3
From Everand
VMware For New Admins - Upgrade: VMware Admin Series, #3
Ronald Nutter
No ratings yet
DRBD-Cookbook: How to create your own cluster solution, without SAN or NAS!
From Everand
DRBD-Cookbook: How to create your own cluster solution, without SAN or NAS!
Joerg Christian Seubert
No ratings yet
Red Zone Map 2013
No ratings yet
Red Zone Map 2013
3 pages
To Whomsoever It May Concern
No ratings yet
To Whomsoever It May Concern
1 page
Quick Pivot Point Calculator: Yesterday' S Hi Yesterday's Lo Yesterday's Close Today's Open
No ratings yet
Quick Pivot Point Calculator: Yesterday' S Hi Yesterday's Lo Yesterday's Close Today's Open
4 pages
Quick Pivot Point Calculator: Yesterday' S Hi Yesterday's Lo Yesterday's Close Today's Open
No ratings yet
Quick Pivot Point Calculator: Yesterday' S Hi Yesterday's Lo Yesterday's Close Today's Open
4 pages
Shared Vs User Mailbox: /force, Gpupdate /logof Gpupdate /target Gpupdate /wait in Detail
No ratings yet
Shared Vs User Mailbox: /force, Gpupdate /logof Gpupdate /target Gpupdate /wait in Detail
4 pages
Wsus Interview
No ratings yet
Wsus Interview
25 pages
Exchange, ADFS, O365
No ratings yet
Exchange, ADFS, O365
56 pages
Mumbai Bus Route Nos
No ratings yet
Mumbai Bus Route Nos
6 pages
CV Capgemini (Esp) Jorge Rodriguez
No ratings yet
CV Capgemini (Esp) Jorge Rodriguez
4 pages
Microsoft Jet Database Engine Programmer's Guide - Chapter 2
No ratings yet
Microsoft Jet Database Engine Programmer's Guide - Chapter 2
33 pages
Data Storage, Retrieval and DBMS
100% (1)
Data Storage, Retrieval and DBMS
31 pages
BDA - M 3 - NoSQL
No ratings yet
BDA - M 3 - NoSQL
81 pages
Bscit 404
No ratings yet
Bscit 404
2 pages
Create A Calendar-Style Report
No ratings yet
Create A Calendar-Style Report
5 pages
Vkit Dv Lab Manual
No ratings yet
Vkit Dv Lab Manual
84 pages
Coursera CURPZZP7PL5N
No ratings yet
Coursera CURPZZP7PL5N
1 page
Creating tables, forms, queries
No ratings yet
Creating tables, forms, queries
2 pages
PM Debug Info
No ratings yet
PM Debug Info
2 pages
Employee Management System and Its DFD Levels (0)
No ratings yet
Employee Management System and Its DFD Levels (0)
4 pages
Distributed Databases
No ratings yet
Distributed Databases
17 pages
Cheat Cube Ubuntu
No ratings yet
Cheat Cube Ubuntu
2 pages
Irshad Anwar: Database Administrator
No ratings yet
Irshad Anwar: Database Administrator
5 pages
Inbound and Outbound Idoc Configuration Steps
No ratings yet
Inbound and Outbound Idoc Configuration Steps
7 pages
SQL Query To Find Second Highest Salary - GeeksforGeeks
No ratings yet
SQL Query To Find Second Highest Salary - GeeksforGeeks
6 pages
Homework 4 Class 8 and 9
No ratings yet
Homework 4 Class 8 and 9
4 pages
SWR Onboarding Process
No ratings yet
SWR Onboarding Process
1 page
Mobile Application Security Review Checklist
100% (1)
Mobile Application Security Review Checklist
2 pages
ActivitySolutions 6 (1) .1 Module9 Union Intersect Minus
0% (1)
ActivitySolutions 6 (1) .1 Module9 Union Intersect Minus
3 pages
Velammal Vidyalaya Practical Programs-Term2 Class XII-Computer Science 2022-2023
No ratings yet
Velammal Vidyalaya Practical Programs-Term2 Class XII-Computer Science 2022-2023
16 pages
NO. Title NO.: List of Figures List of Abbreviations List of Tables 1
No ratings yet
NO. Title NO.: List of Figures List of Abbreviations List of Tables 1
4 pages
Pemodelan Dan Implementasi Basis Data It-44-03 (PHG) : Started On
No ratings yet
Pemodelan Dan Implementasi Basis Data It-44-03 (PHG) : Started On
6 pages
How To Create Salesforce Custom Objects PDF
No ratings yet
How To Create Salesforce Custom Objects PDF
6 pages
How To Make Your Usb Drive Virus Resistant
No ratings yet
How To Make Your Usb Drive Virus Resistant
2 pages
STROBE DB2 Feature, Form Number STF004
No ratings yet
STROBE DB2 Feature, Form Number STF004
58 pages
h10640 Isilon NL Series Ss
No ratings yet
h10640 Isilon NL Series Ss
5 pages
Boot Camp Session 1: Module: COS 122 Author: Mr. Werner Hauger
No ratings yet
Boot Camp Session 1: Module: COS 122 Author: Mr. Werner Hauger
27 pages
Cara Instal Metro Framework UI Pada VB
No ratings yet
Cara Instal Metro Framework UI Pada VB
38 pages
Case Study On SQL Injection
No ratings yet
Case Study On SQL Injection
5 pages