Tag Archives: AD DS

Configuring Windows Server 2016 Core Domain Controller

In Windows Server 2016 you no longer have an opportunity to switch back and forth between core and GUI installation, hence you cannot do install and configure AD DS in a lazy way (using full GUI) and then convert it to core. That was something I discovered hard way long time ago – so I already have separate VHDX templates for Server 2016 core and full GUI VMs.

But it has been quite a while since I was playing with Server Core so when I starting provisioning my new Server 2016 core domain controller VMs today I realized that I need to remember quite a few commands to fully install AD DS on Server Core. I was about to create a blog post listing essential commands, but actually found very well written blog post on TechNet covering exactly that: Chad’s Quick Notes – Installing a Domain Controller with Server 2016 Core. So just sharing it here, instead of writing the same myself 🙂

How to force AD DS replication

Just a quick note on how you can force AD DS replication. You can do this issuing the following command:

Repadmin /syncall DC_NAME /APed

To decipher parameters: /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names). Essentially with this command you can do the same as Replmon used to do in Windows 2003 but in in one step. Don’t forget to replace DC_NAME with name of one of your domain controllers. Of course there are other methods to do that, including using Active Directory Sites and Services console (dssite.msc) like that (from/to selected DC):

Or like that:

When to use? When you made some changes in AD DS partitions and don’t want to wait or when you want to have a quick test of AD DS replication.

The trust relationship between this workstation and the primary domain failed – proper fix

All to often I see people doing wrong corrective action whenever they encounter “The trust relationship between this workstation and the primary domain failed” error, it seems that even some Microsoft documentation gives you bad advice. What you have to do if you got this error is use proper resolution methods instead of lengthy and wrong join workgroup, then join to domain again approach.

In case you working with multiple VMs joined to domain and play with snapshots you may very likely run into this error at some point. Here is the screen shot:

This error caused by the fact that your computer account secure channel is broken. All computers joined to domain have SID along with their “username” and password albeit you never touch or input those things in any explicit way. Un-join and re-join again to domain procedure will create new SID for your computer which may be not the thing you want. When you log on to domain with user name and password secure channel is being established, but it can be broken in the following scenarios:

  • Machine was offline more than 30 days since last computer password reset (it happens automatically for machine approximately every 30 days when it is online)
  • OS was reinstalled (this process creates new machine SID)
  • LSA on the machine is out of sync

Key thing to remember when you got this issue is never join workgroup and then to domain again as this process creates new SID and your machine will lose all its group memberships (if it had any, of course).

Right fixes:

  1. ADUC > Reset Computer, then rejoin machine to domain
  2. dsmod computer -reset, rejoin: dsmod computer “cn=COMPUTER-NAME,ou=Computers,dc=domain,dc=com” -reset
  3. nltest (no rejoin or reboot required): nltest /server:COMPUTER_NAME /sc_reset:domain\domain_controller_name
  4. PowerShell way: Test-ComputerSecureChannel -Repair (no rejoin or reboot required)

I strongly recommend you to remember option 4. So if you see “The trust relationship between this workstation and the primary domain failed” you know that secure channel is broken, you just logon as local administrator on this machine and run this:

Test-ComputerSecureChannel -Repair -Credential DOMAIN\User

Once done logoff your local user and logon back using domain credentials, problem solved!

How to: enable GC on domain controller (2 ways)

There are two ways of making your DC a GC and you can read on to learn how.

But before we launch into it, just look at this “making your DC a GC” sentence for a moment. It makes me think that it is a good example of what not to do in writing for non-technical audience 🙂 I’ve recently started to watch a very interesting course on CBT Nuggets – “Essential Soft Skills for the IT Professional” by Steve Richards, and there you may learn that key things in writing tech reports to non IT audience are: avoid JATB, give MWLH and don’t SUCK 🙂

CBT Nuggets Tech Reports for Non-tech audience

Which of course means avoid Jargon, Acronyms, Techspeak, Buzzwords (JATB), give More Why Less How (MWLH) and don’t Suffer from Using Computer Knowledge (SUCK) 🙂

OK, getting back to the main topic and switching to tech writing again. First it would be nice to check which DCs are already GC-enabled, and you can do this by issuing the following PS cmdlets:

Now how to enable/disable GC:

1) PS way of enabling GC:

And you can use the same cmdlet to disable it as shown on screenshot below:

Enable or disable GC with PS

2) GUI way. Access Active Directory Sites and Services (dssite.msc), locate domain controller you need to make a GC and access General tab of its NTDS Settings Properties:

NTDS Settings - Global Catalog

By the way there is an interesting connection between GC and group scopes. You can only convert to a universal group from any other group scope on a domain controller that has the global catalog. This is somewhat obvious, as universal groups, which combine the best of two worlds (i.e. domain local and global groups) can have members from domains other than the domain where the group object is stored and can be used to provide access to resources in any domain, only a global catalog server is guaranteed to have all universal group memberships that are required for authentication.

How to: Enable AD DS recycle bin

Sample steps illustrating how to switch on AD DS recycle bin in Windows Server 2012 R2. AD DS recycle bin has been first time introduced in Server 2008 R2 but essentially it had no UI to enable or work it (you had to mess with ADSI edit back then). In Server 2012 UI for this feature has been added making this cool feature really convenient to use.

Enabling recycle bin is a one-way (irrevocable) forest wide operation. You can enable it in Server 2012 R2 in two ways:

1) Through GUI using ADAC:

70-410 Enable AD DS Recycle Bin

2) Using PowerShell:

Import-Module ActiveDirectory

Enable-ADOptionalFeature -Identity `

'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=conundrum,DC=com' `

-Scope ForestOrConfigurationSet -Target 'conundrum.com'

Once Recycle Bin feature is enabled either by method (1) or (2) the option to Enable it in ADAC will be still available but grayed out. And main improvement is that UI for restore is available now. You just need to access Deleted Objects container in ADAC, locate deleted object (let’s say user) right click on it and select “Restore”/”Restore To”:

70-410 AD DS Recycle Bin - Deleted objects container