DCs not replicating across VPN
I am at a loss here. I have looked at every CMD option I can find, verified DNS and cannot get my DCs replicating across the VPN. I don't understand how I was able to join the domain but now the connectivity is a problem. So here is my setup: 2 DCs in Site (my building) 2 DCs in Datacenter connected by IPSec VPN I can ping the IP, the DNS name, the short name, and the domain from all DCs regardless of location. I have verified on each DNS server that the name servers are correct and resolved. I have run nltest, dcdiag, syncall, repadmin, etc. The only error that keeps showing up in most commands is 1722 network error. RPC unavailable. Topology incomplete. One oddity that I found was that on the DCs in the datacenter Sites and Services was missing one of the local DCs. I added it manually but there are no NTDS Settings for it. I have flushed DNS, reregistered DNS, restarted the servers. All Windows firewalls are set to ANY ANY for domain services. My WAN firewalls are ANY ANY between the sites I have no idea what to look for next. Please if anyone has ideas let me know. Also I have already build new servers multiple times and this keeps happening.
DNS and host domain
I configured a Windows 2019 server with DNS service. The domain is contoso.com. The contoso.com domain is outside the local network. I entered the IP of the external domain and deleted the IPs of the Windows server and the replica server. After a few minutes, the server created two host domains again with the IPs of the DNS servers. How do I prevent it from setting the DNS servers as the host domain?
Active Directory Unable to reset user passwords
I am managing a Windows Server 2025 Active Directory environment with client machines. I created a test user and enabled the option “User must change password at next logon.” I then provided a temporary password to the user, expecting them to get the prompt to change it on first login. However, when the user attempts to change the password, they receive the error: “The user must change password before signing in.” My goal is that when I provide a temporary password to a user: They get the prompt to change the password at next logon. When they change it, it should not throw the “user must change password before signing in” error. I need guidance on how to achieve this so users can reset their passwords successfully.
msDFSR-options value at the end of Authoritative synchronization of DFSR
Hello, I had a Sysvol synchronisation problem between my domain Controllers, so i made an authoritative synchronization of DFSR-replicated to fix it. Everything works find but i still have a question about the msDFSR-options value, should i keep it "1" or reset it to "not defined" Source : https://learn.microsoft.com/en-gb/troubleshoot/windows-server/group-policy/force-authoritative-non-authoritative-synchronization
Server 2016 Essentials coexisting with Server 2022 Standard
I am in the process of replacing an older Server 2016 essentials with a Server 2022 Standard. The 2016 Essentials server is today acting as the primary domain controller for the domain. My plan is to: 1. install the new Server 2022 Std 2. Join it to the existing domain as a Backup Domaincontroller 3. Promote the new server to PDC 4. Move contents and applications on the Essentials 2016 server 5. Demote the old 2016 Essentialsserver 6 Decomission the old server. 7. Lift the entire domain to a higher level. So the question is. Can these servers co-exist as domain controllers in the same environment or do I have to have another approach to the server change? Best regards, DavidFailed test VerifyReferences
Hello everyone, We are using Windows Server 2019 Standard as the primary and currently only domain controller. Previously, there were several additional domain controllers, but they have all been demoted. dcdiag test VerifyReference returns me the following error: Starting test: VerifyReferences Some objects relating to the DC 18DC06 have problems: [1] Problem: Missing Expected Value Base Object: CN=NTDS Settings,CN=18DC06,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vk, DC=local Base Object Description: "DSA Object" Value Object Attribute Name: serverReferenceBL Value Object Description: "SYSVOL FRS Member Object" Recommended Action: See Knowledge Base Article: Q312862 [1] Problem: Missing Expected Value Base Object: CN=18DC06,OU=Domain Controllers,DC=vk, DC=local Base Object Description: "DC Account Object" Value Object Attribute Name: msDFSR-ComputerReferenceBL Value Object Description: "SYSVOL FRS Member Object" Recommended Action: See Knowledge Base Article: Q312862 ......................... 18DC06 failed test VerifyReferences Please advise on how to further investigate and resolve this issue. Thanks in advance.Can't RDP when in protected users group 2 domains no trust
I have the following issue and have read a lot about people with similar issues, but not quite the same setup as we have. We are working with 2 domains. I call them Domain A and B. So Domain A is our own domain, with our own DC and servers. Domain B is a shared setup for our customers. We all are working with our mailto:email address removed for privacy reasons accounts to gain access to servers from our customers. All customer servers are member of Domain B All admin accounts are members of protected users. When i am logged in to our management server, that is a member of domain A i cannot RDP with my mailto:email address removed for privacy reasons account to whatever server from our customers. When i am in the office, we can access domain B from our personal laptops who are only Entra ID joined. From our personal laptops we can RDP to the servers of the customers in Domain B with the mailto:email address removed for privacy reasons accounts. Strange thing is: not all admin accounts have this issue (at the same time) Issue is resolved spontaniously My first question is, do i need to have a domain trust between Domain A and Domain B Both the domains have higher domain functional level then 2012 R2. I have communication between my management machine in Domain A to the domain controllers of Domain B. Not only ping, but also KDC, DNS, LDAP, etc. Our domain controller in Domain A does not have communication to Domain B.
GroupPolicy/Registry issue
My MDR product is having an issue with scanning the registry of our hosts. It times out and causes performance issues, essentially bringing down the host. I opened a case with their support and we narrowed the issue down to this reg key: Computer\HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects There are hundreds of sub keys, each with their own sub keys. It seems each time group policy is applied to the host, 2 new keys are created, a machine and a user key. As a test, I deleted everything under the main key and rebooted. After logging back in, 2 new keys had been created. After a day I checked again and there were a dozen or more. Now after a few weeks we're back up to hundreds. Does anyone have any ideas as how to automatically clean up the older entries to keep the number to a minimum? Or is there a way to stop this behavior? Thanks
Wireless secure Windows server 2022
Hello everyone, I am trying to implement ‘wireless secure’ in my domain. I have followed various guides and everything seems to be configured correctly, but I keep getting this error: Reason: Explicit EAP error received Error: 0x40420016 EAP reason: 0x40420016 EAP root cause string: Network authentication failed\nThe authentication method required to connect to the network is not available in Windows. EAP error: 0x40420016 I have verified that communication via AP-WLC-NPS is working correctly, but it is unable to authenticate via eap-tls. Do you have any suggestions? I have collected several logs, but many of them may not be necessary. Thank you for your support.