Tag: Active Directory

Azure AD Connect sync issues

Now and then we get errors in our Azure AD Connect syncronization, or that said – my customers get errors.

And every now and then there is a error wich are not easy to spot what can be wrong.

In this case the sollution was not that easy – but when you think of it, it makes kind of sense sort of.

So this is the Error i got.

Other Error 
Error Details 
pro perty 
Error Type 
Last Attem pted At 
Related Articles: 
The object failed synchronization. For more information, please see the error details. If the problem continues and 
cannot be fixed, please contact Microsoft Support. 
12/17/2019, PM 
1. Azure AD Connect: Troubleshooting Synchronization Errors 
user Principal Name 
Object GUID 
Synchronization Status 
Attribute Value 
On premises AD only 

Looking into Azure AD Connect it throwed a error on syncronization.

After some investigation back and forth i with the GUID who did not match the Azure AD Sync error – i found out that a deleted group was configured as a licensing group within Azure AD. Therefor when it was deleted from On-prem AD it could not be deleted in Azure AD since it still was in use.

By removing it from the license sku it removed it self on next sync.

Find unlinked GPOs in your domain

Have you ever wondered if your domain has any GPO without a link and which GPO that would be? This is how you find out with Powershell with output to the screen.

$unlinkedGPOs = (Get-GPO -all | where {([xml]($_ | Get-GPOReport -ReportType XML)).gpo.LinksTo.Length -eq 0})
Write-Host "The following GPO has no link:"
$unlinkedGPOs| ft DisplayName -HideTableHeaders
Write-Host "Total: $($unlinkedGPOs.Count)"

Find domain admins with password never expires

Do you know how many domain admins you have in your domain? Do you know which domain admins are running with “password never expires” enabled? Thanks to Powershell it is easy to find out.

# Variables below
$domainadmins=(Get-ADGroupMember -Identity "Domain admins" | Get-ADUser -Properties PasswordNeverexpires, lastlogondate)
# Output to screen
$domainadmins | Sort -Descending -Property PasswordNeverexpires | Select-Object Name, Samaccountname, lastlogondate, Enabled, PasswordNeverExpires | ft -autosize

This will display on your screen all members in “Domain Admins” with the last logon time, if the account is enabled and if the “password never expires” is set.

If you want a file export you can use this line instead of output to screen:

# Output to file
$domainadmins | Sort -Descending -Property PasswordNeverexpires | Select-Object Name, Samaccountname, lastlogondate, Enabled, PasswordNeverExpires | Export-Csv C:\Temp\domainadmins.csv -Encoding UTF8 -Delimiter ","

“No logon servers are available” error after installing updates (SBS2008)

Yesterday I was doing maintenance on a Windows Small Business Server 2008, the Windows Update patches installed successfully and the restart button was pushed. And then the problems started.. Server rebooted and had problems starting several services such as Active Directory Domain Services, DNS, Exchange, Cetificates and several more. Trying to logon to the server with my Domain Admin credentials gave me this error message: sbs_2008

The same error message came when I tried to logon to other servers in the domain. So what does the trick to fix this?

1. Logon to the server with the local administrator username and password (hit “.\administrator”, in username field to force the logon with local admin)
2. when logged into the server, check that services that supposed to be started are started. — as you noted when you did the logon, you got into safe mode…  strange? yes..
3. So, hit the “WIN + R” and type “MSCONFIG” 4. navigate to the “Boot” menu, and remove the “Safe boot – Boot options” hit Apply and restart your server.
5. Give the server some time to startup again and test the logon with an “domain admin” account   Worked for me 🙂  

Check for Active Directory replication failures

A quick and easy way to check your Active Directory for any replication errors using Powershell.

Get-ADReplicationPartnerMetadata -Scope Domain -Target (Domain name) | ft Server,LastReplicationSuccess,ConsecutiveReplicationFailures -AutoSize

This will list all your Domain Controllers and when they last replicated successfully and show how many consecutive replications errors they have (if any).

AD: Windows Time configuration

Domain controllers

It is ONLY the domain controller holding the PDC role that should use external NTP. All the other domain controllers should sync with PDC domain controller. To find the server holding the PDC role run
netdom /query fsmo

On the domain controller holding the FSMO role you should configure NTP with this command
w32tm /config /manualpeerlist:"1.no.pool.ntp.org 2.no.pool.ntp.org" /syncfromflags:manual /reliable:yes /update

On the other domain controllers configure NTP with this command
w32tm /config /syncfromflags:domhier /reliable:no /update


On the servers in the domain you should configure NTP with this command
w32tm /config /syncfromflags:domhier /update

Servers outside the domnain should use this:
w32tm /config /manualpeerlist:"IP" /syncfromflags:manual /reliable:yes /update

Some info

All the above configuration has to be followed by the command below to take effect
net stop w32time
net start w32time

If you wan’t to query a NTP source run this
w32tm /monitor /computers:p2dc02.corp.local,ntp.as2116.net

If w32tm don’t exist as a service
%windir%\system32\w32tm /register

Thnx to Henning Ims for this fantastic solution. 🙂

Find disabled users with their group membership and remove them from their groups

To quickly see the disabled users and their group membership in your Active Directory you can use this Powershell command:

Get-ADUser -SearchBase “OU=OU1,DC=domain,DC=local” -Filter ‘enabled -ne $True’ -Properties memberof | ft samaccountname, MemberOf -auto

This script will prompt you for a searchbase (Like “OU=OU1,DC=lab2,DC=local”) and remove all disabled users from their groups:

$inputfromuser = Read-Host ‘Enter AD Searchbase ‘
if ($inputfromuser -like “”)
Write-Host “Input error”

$Diableduser = Get-ADUser -SearchBase $inputfromuser -Filter ‘enabled -ne $True’ -Properties memberof
foreach ($user in $Diableduser)
foreach ($member in $user.MemberOf)
Write-Host “Removing” $user.SamAccountName “from” $member
Remove-ADGroupMember $member -Members $user.SamAccountName -Confirm:$false

Honorable mention for assisting on this script goes to Bjørn Wang

edit: Added script for membership removal

Transfer or seize FSMO roles with powershell

To transfer all FSMO roles from one DC to another you can use the following line in powershell: 

Move-ADDirectoryServerOperationMasterRole -Identity “Target-DC” -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator

Replace “Target-DC” with the name of the domain controll (case sensitive)

To seize the roles, add “-Force” in the end of the command

DFS Replication error on Domain Controllers

If you have DFS replication errors on one or more domain controllers, first find out witch domain controller that has the error.
log on to all your domain controllers and check the Event log -> Applications and Services Logs -> DFS Replication and look for Warnings.

In this example the domain controller had an dirty shutdown based on power failure.

If you find this one, the resolution is described in the event

1. first of all, take backup of your SYSVOL directory on all domain controllers (usually found under c:\windows\sysvol)
2. run the wmic command described in your event id in an elevated command prompt
3. the method should execute successful and the Return Value should be like 0;

When this is done, you should see an information event in event viewer:

How to find locked out users by using PowerShell

To retrive a list of locked user in Active Directory use these PowerShell commands:

1. start powershell on one of your domain controllers
2. import AD module: “Import-Module ActiveDirectory”
3. search for locket users: “Search-ADAccount -LockedOut | select name”
4. unlock users: “Search-ADAccount -LockedOut | Unlock-ADAccount -Confirm”

If number 4 fails, unlock users manualy from ADUC.