A place for info I've learnt in IT & stuff. (I get a little kick back from affiliate ads & links, just so you are aware)

Browsing Posts tagged AD

  • Run CMD as an Administrator on the DC and enter the following command.
  • Djoin /provision /domain MYDOMAIN /machine PD1000 /policynames “DirectAccess Client Settings” /rootcacerts /savefile c:\temp\PD1000provision.txt /reuse

The new machine name will be made in the top level of the machines tree. Move it in AD to whatever OU you wish.

The file that is created needs to be transferred onto the C: drive of the new machine.

  • Put the provision file on the c: drive of the new machine in a folder like c:\temp
  • CD to the Windows directory on the new machine as below

c:\windows\system32 folder of the new pc and run

Djoin /requestodj /loadfile C:\temp\PD1000provision.txt /windowspath %windir% /localos

Then reboot.



Users receive the following error when logging onto a domain-joined Windows Vista or Windows 7 computer using cached credentials:

There are currently no logon servers available to service the logon request.

  1. LsaSrv Event 45058, logged in the System event log of a domain-joined workstation, indicates that the operating system has deleted the cached credential for the user specified in the event:

Log Name: System
Source: LsaSrv
Date: <date> <time>
Event ID: 45058
Task Category: Logon Cache
Level: Information
Keywords: Classic
User: N/A
A logon cache entry for user USERNAME@CONTOSO.COM was the oldest entry and was removed. The timestamp of this entry was MM/DD/YYYY HH:MM:SS.


The user logon error occurs when a user’s cached credentials have been purged from the local computer by more recent domain user logons.

Windows Vista and Windows 7 operating systems cache credentials for a finite number of user accounts (assuming cached credentials have not been disabled).

Once the cached logon quota has been reached, the operating system will purge the oldest cached credential from the local computer so that the credentials for the next unique domain user successfully authenticated by a domain controller may be cached. The logging of the LsaSrv 45058 event indicates that the cached logon quota has been reached, triggering the deletion of the oldest user credential cached on the local machine.

  1. Verify that cache credentials are allowed on the local computerIf the CachedLogonsCount registry value is 0 then the system will not cache domain user credentials.  See the More Information section below to determine the configurable range. 
  2. If the user’s credentials have been deleted OR cached credentials are disabled, establish network connectivity and name resolution with one or more domain controllers that can authenticate the user account’s domain logon (VPN, etc.), then successfully authenticate the user’s logon.If cached logons are enabled, a successful logon will cache that user’s credentials while purging the oldest cached credentials.If establishing domain connectivity over a software VPN, you’ll likely have to establish the VPN from another local or cached domain user, persist that connection while logging off, then logging on or switching to the domain user account whose credentials you want to cache.
  3. Evaluate increasing the cache logon quota with a domain administrator.

And GUI version

I’ve used the GUI version and installed on my XP box that had the AD tools installed.  Then when in the got it to run as a domain admin account, otherwise you’ll probably get no results back.  Seemed to work fine in restoring a deleted user (although we have several DCs and I only restored to one.  Think it needs to replicated to others to be totally working properly.  As odd things with password history on that account appear to be playing up now.  Only been a few mins so waiting for replication to see if issue continues.)

On the Summary page of the Active Directory Domain Services Installation Wizard, you can click Export settings to save the settings that you specified in the wizard to an answer file. You can then use the answer file to automate subsequent installations of Active Directory Domain Services (AD DS).

The answer file is a plain text file with a [DCInstall] header. The answer file provides answers to the questions that are asked by the Active Directory Domain Services Installation Wizard. Using the answer file eliminates the need for an administrator to interact with the wizard. The Active Directory Domain Services Installation Wizard adds text to the answer file that explains how to use it, such as how to invoke it with the dcpromo command and which settings must be updated to use it.

During an unattended operation, a return code indicates whether or not the operation was successful. For information about return codes, see Unattended Installation Return Codes.

To use an answer file to install AD DS, type the following command at a command prompt, and then press ENTER:

dcpromo /answer[:filename]

Where filename is the name of your answer file.

AD Timeout

Try to get your hands on one of the clients that is experiencing the problem and run on it klist.exe or kerbtray.exe (both are part of W2K/W2K3 Resource Kit) to verify that the client is not experiencing problems with renewing it’s Kerberos ticket (both TGT and session tickets)

Try to get your hands on one of the clients that is experiencing the problem and run on it klist.exe or kerbtray.exe (both are part of W2K/W2K3 Resource Kit) to verify that the client is not experiencing problems with renewing it’s Kerberos ticket (both TGT and session tickets)

Domain Local Groups (These used to be plain Local groups).

Think of domain local groups as great hosts, literally anyone can be a member, users, Global groups, Universal groups, even computers can join a domain local group. Local groups are bad travellers and only operate in their own domain.

Best practice is to use local groups to assign permissions to resources like databases and printers.
Global Groups

These are great travellers, they can wander the entire Forest. The key point is that global groups are poor hosts and can only contain members from their own domain.

Best practice is to make global group your default group, and for starters, make a group to represent each of your departments.
Universal Groups

Another question for you, why is it sometimes the radio button against create Universal group is greyed out? The answer is when the Domain is in mixed mode you cannot create universal groups (NT 4.0 BDC’s would not understand them). You need to ‘raise domain level to Windows 2000 native before you benefit from universal groups. Think of universal groups as the ultimate container for nesting groups. They are good hosts and great travellers.

Best practice is make it rule to only include global groups inside Universal groups, no individual groups.
Global Catalog Implications

As you would expect, domain local and global groups are listed in the global catalog, however the individual members are not listed. So changes in global group membership have zero impact on global catalog replication traffic.

Universal groups on the other hand, not only are listed in the global catalog but also the individual users or nested groups are also listed. Now you can see that adding users to a universal group will generate replication traffic. That is why Guy says only put global groups inside universal groups, the individual members inside the global groups are not replicated.

In Windows 2000 the situation is that one change of membership to a universal group causes the whole list to be replicated, thankfully that changed in Server 2003, now only incremental changes are replicated not the whole list.