Implementing LAPS
Translated with google Good morning, in the test environment I am trying to activate the LAPS features. The activation seems to have been successful. From the computer that acts as DC in AD it shows me the DSRM user password. While from the computer account of the test PC for LAPS no account or password is displayed. Obviously I created a GPO for the application of the LAPS parameters I have already restarted the PC several times and performed a GPupdate /force What can I check to have LAPS active on the client too? This is the data of the test network PC: W11 Pro 10.0.26100 build 26100 Server: W2025 srv Datacenter 10.0.26100 build 26100 Domain functional level 2025 Forest functional level 2025 ----------------------------------------------------------------------------------------------------------------- Buongiorno,in ambiente di test stò provando ad attivare le funzionalità LAPS. L'attivazione sembra essere andata a buon fine. Dal computer che fà da DC in AD mi fà vedere la password dell'utenza DSRM. Mentre dall'account computer del PC di test per LAPS non è visualizzato nessun account e nessuna password. Ovviamente ho creato una GPO per l'applicazione dei parametri LAPS Ho già riavviato più volte il pc ed eseguito un GPupdate /force Cosa posso verificare per avere LAPS attivo anche sul client? Questi i dati della rete di test Pc: W11 Pro 10.0.26100 build 26100 Server: W2025 srv Datacenter 10.0.26100 build 26100 Livello funzionale del dominio 2025 Livello funzionale della foresta 2025
Windows 2022 server to Windows 2025 Active directory migration
Hi In the lab I had 2 servers dc1 which is Windows 2022 and dc2 which was 2025 server. I transferred all roles from 2022 and this was working perfect but then I made one mistake by demoting dc1 2022 using GUI server and looks like that took out whole domain dc2 2025 has all the roles however when I try to open Active directory users and computers this is what i get Naming information cannot be locateed because the specified domain either doesnt exist or couldnt be contacted This is when I try to open Active directory users and computers. Interestingly enough in my workspace I just shut down domain controller that i want to decomission and then cleanup metadata but in this instance i wanted to try demote domain controller and this is the process that took domain out Now I dont have backup all I have ntds dit file and I am not sure whether it is possible to restore domain with just this file dc2 is still domain controller but even netdom query fsmo says no domain controllers
Password change error message too generic on Windows Server 2025 domain
Hi everyone, In two different production environments running on Windows Server 2025 (fresh Active Directory installations), users reported an issue when trying to change their password via Ctrl+Alt+Del → Change a password. If the new password doesn't meet complexity requirements, the system returns only a generic error: "Unable to change the password at this time." There’s no indication that the failure is due to the password not meeting policy requirements (length, complexity, history, etc.), which creates confusion and unnecessary support tickets. In previous environments running on Windows Server 2016 or 2019, the error message was more informative, clearly stating when a password was too weak or did not meet domain policy. Is this generic message a known change in Windows Server 2025? Has anyone else encountered the same issue? Is there any way to re-enable the more detailed error descriptions? Thanks in advance for any insight!
Active Directory Unable to reset user passwords
I am managing a Windows Server 2025 Active Directory environment with client machines. I created a test user and enabled the option “User must change password at next logon.” I then provided a temporary password to the user, expecting them to get the prompt to change it on first login. However, when the user attempts to change the password, they receive the error: “The user must change password before signing in.” My goal is that when I provide a temporary password to a user: They get the prompt to change the password at next logon. When they change it, it should not throw the “user must change password before signing in” error. I need guidance on how to achieve this so users can reset their passwords successfully.DNS and host domain
I configured a Windows 2019 server with DNS service. The domain is contoso.com. The contoso.com domain is outside the local network. I entered the IP of the external domain and deleted the IPs of the Windows server and the replica server. After a few minutes, the server created two host domains again with the IPs of the DNS servers. How do I prevent it from setting the DNS servers as the host domain?Unable to manage DFS namespace from DFS MMC
Error: The namespace cannot be queried. The specified domain either does not exist. Hi, I have an issue with DFS at our site. It has been working fine for years, but recently the ability to manage it using the DFS MMC no longer works. DFS is still working for the users fine and I can map to it manually, but the MMC tool no longer connects. I can create new namespaces fine though. The error is: " The namespace cannot be queried. The specified domain either does not exist or could not be contacted. " I can't risk recreating the namespace due to the impact on users, so anyone have any idea to fix this? Many thanks DBClients failed to obtain internet right after DC 01 failover to DC02.
Hi, Recently, our team conducted a Disaster Recovery (DR) exercise where we successfully failed over from DC01 to DC02. The objective was to verify that DC02 could take over Windows services such as DNS, DHCP, and Active Directory (AD) to ensure business continuity. However, after shutting down DC01, we observed the following issues: Clients began losing internet connectivity. DHCP failed to lease addresses to clients. Connectivity on client machines was only restored after running the ipconfig /flushdns command, which forced them to communicate with DC02. Everything when back to normal when we resumed AD01. For additional context, our environment is also using ClearPass as the RADIUS server and has no issue authenticating clients. I would like to seek advice from anyone with expertise in this area: did we overlook any critical steps during or after the failover process?
DCs not replicating across VPN
I am at a loss here. I have looked at every CMD option I can find, verified DNS and cannot get my DCs replicating across the VPN. I don't understand how I was able to join the domain but now the connectivity is a problem. So here is my setup: 2 DCs in Site (my building) 2 DCs in Datacenter connected by IPSec VPN I can ping the IP, the DNS name, the short name, and the domain from all DCs regardless of location. I have verified on each DNS server that the name servers are correct and resolved. I have run nltest, dcdiag, syncall, repadmin, etc. The only error that keeps showing up in most commands is 1722 network error. RPC unavailable. Topology incomplete. One oddity that I found was that on the DCs in the datacenter Sites and Services was missing one of the local DCs. I added it manually but there are no NTDS Settings for it. I have flushed DNS, reregistered DNS, restarted the servers. All Windows firewalls are set to ANY ANY for domain services. My WAN firewalls are ANY ANY between the sites I have no idea what to look for next. Please if anyone has ideas let me know. Also I have already build new servers multiple times and this keeps happening.
