Active Directory

AD, DNS and associated services

A more elegant solution than ‘unjoin rejoin domain’: reset computer machine password

It's commonplace that one is tempted to unjoin and rejoin a computer from an AD domain in the belief this will resolve an issue.  Or there are error messages related to domain membership and it's believed unjoin+rejoin is the only solution.  Here is an example of one of those errors "trust relationship cannot be established". Fortunately there is a much more elegant solution to specifically address the domain relationship problem without having to unjoin, reboot, rejoin, reboot.  Also unjoin+rejoin Read more [...]

Error in DCDIAG: “The replication operation failed to allocate memory”

Issue: While running DCDIAG you receive the following error: "The replication operation failed to allocate memory". Resolution: I checked the page file settings as well as reviewed Task Manager to confirm the server was not out of memory.  I decided to reboot the server to see if the memory issue would go away and in my case the issue was resolved.  This particular domain controller was Virtualized with VMWare so I granted it a small memory reservation (256 MB) in VMWare. Additional Read more [...]

Processing of Group Policy failed. Windows attempted to read file sysvol\policies and was not successful

Issue: Numerous issues on DC including: Cannot apply group policy Cannot access the sysvol Errors include "Could not open pipe with [DC1]:failed with 53",      "Failed can not test for HOST SPN",      "An net use or LsaPolicy operation failed with error 53" DCDIAG Errors: Starting test: MachineAccount Could not open pipe with [DC1]:failed with 53: The network path was not found. Could not get NetBIOSDomainName Failed can not test for HOST SPN Failed can not test for HOST SPN Starting Read more [...]

enable inheritance on all AD user accounts

Issue:  You need to enable permission inheritance on all AD user accounts or a specific group of accounts. Background: Enabling inheritance on AD accounts typically required one to check the "include inheritable permissions..." checkbox on the 'Security Tab > Advanced' screen in ADUC on every user account one at a time (see checkbox of doom).  That's a whole lot of clicking! Solution: PowerShell can be used to enable permissions inheritance on a large group of AD user accounts. 1) Read more [...]

force GPUPDATE on all domain computers

Issue: You need to force group policies to refresh on all domain computers immediately rather than waiting the default 90 minutes. Solution: You can use PSEXEC to accomplish this feat. 1) Download PSTOOLS from Microsoft, extract and copy to c:PSTOOLS 2) Open a Command Prompt as administrator: To update group policies on all domain machines: psexec \\* gpupdate /force PSEXEC queries Active Directory for the computer names to run the command against, thus it will likely run against Read more [...]