Active Directory Domain Services, Install – FKA: “ADUC” or “Active Directory Users and Computers”
Server Manager → Manage → Installation Type: Role-based or feature-based installation → Add Roles and Features → Server Selection: leave default (local server) → Server Roles: Check “Active Directory Domain Services”
Active Directory Sites and Services – Open Active
Directory Sites and Services (Administrative tools, Active Directory Sites and Services from control panel).
If you can’t find it listed, run dssite.msc. This normally only works on Windows Server
unless you install a plug-in
Active Directory, back up info to a – this is part of the regular Microsoft system and file backup. One way of doing this is to run “ntbackup” from a command line. At some point choose between backing up all the files or just the System State data.
Active Directory, manage from Windows 8 or other non-server OS – Windows Server Administration Tools Pack - see RSAT (Remote Server Administration Tools)
Advanced Group Policy Management (AGPM) - you must have a license from MS and set up a dedicated server
back up Active Directory and domain information to a file so you can restore – see Active Directory, back up info to a file
back up domain to a mirrored server – see domain, back up
compare group policies to each other - see policy analyzer tool
“Could not find any available Global Catalog in forest <yourdomain.net>” – see also Group Policy problem network connectivity
determine which DC in your domain computers are looking to as the PDC (Primary Domain Controller)
nltest /dcname:yourdomain
Check to see whether your PDC – as determined from the step above is set as a Global Catalog (see domain controller, determine whether it’s set as a global catalog)
verify that the server servername has a valid trust relationship with your PDC
nltest /server:servername /sc_query:yourdomain
should return something like:
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\ dcs2.mydomain.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
dcdiag, failed test frsevent – see frsevent
DHCP servers, get rid of obsolete - see remove old DHCP servers
- Start Adsiedit.msc
- Open the configuration Container
- Expand Services
- Expand Net Services
- On the right hand side you will find a record named CN=DHCPRoot
- Right Click the CN=DhcpRoot entry and then click Properties
- Highlight DhcpServers Attribute and click Edit
directory service on xxx has not finished initializing (during dcdiag)
repadmin /showreps
DNS info
dig utility (from BIND)
nslookup
DNS name servers
From command line, nslookup.
That will show your name server. Then type in a FQ domain name and it
will return an IP address.
Control panel, Network and Internet Connections, Network
Connections bottom right, right click Local Area Connection and select
"Properties", Highlight "Internet Protocol (TCP/IP)", click
Properties
or, see IP Address, find
DNSMGMT.MSC
Location: C:\WINDOWS\system32\config\netlogon.dns
DNS out of date when pinging
Let’s say you’ve recently updated a DNS entry for “bob” on your domain server from 192.168.0.51 to 192.168.0.52
Now, on your client PC, when you
nslookup bob
you get 192.168.0.52 – as expected. But when you
ping bob
you still get 192.168.0.51 What to do? Try
Ipconfig /flushdns
And then ping again. That should fix.
DNS problems
look in C:\WINDOWS\system32\config\netlogon.dns for anomalies. Note: doesn’t matter how you edit netlogon.dns or netlogon.dnb. You can actually delete them and then restarting the netlogon service recreates them with whatever was in there before.
Netdiag below doesn’t work anymore in Windows 7 or Windows Server 2008/2012. But back in the day, it worked OK.
netdiag /fix
For domains:
(or all by itself without the /fix)
dcdiag /fix
(or all by itself without the /fix) and
dcdiag /test:registerindns /dnsdomain:domain
or
dcdiag /e /test:DNS
or
nltest /dsregdns
if this is a domain controller
You could try nslookup. For instance,
nslookup yourlocalserver.yourdomain.net
or
nslookup someoutsidedomain.com
if success,
Server: yourdomainserver.yourdomain.net
Address: 192.168.0.1
Name: yourlocalserver.yourdomain.net
Address: 192.168.0.2
If success on a server with IPv6
Server: yourdomainserver.yourdomain.net
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
primary name
server = 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
responsible mail addr = (root)
serial = 0
refresh = 28800 (8 hours)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
Server: Unknown
Address: ::1
Name: yourlocalserver.yourdomain.net
Address: 192.168.0.2
if problems,
Server: yourdomainserver.yourdomain.net
Address: 192.168.0.1
*** yourdomainserver.yourdomain.net can’t find
yourlocalserver.yourdomain.net: Non-existent domain
DNS OK but can’t ping – you can sometimes look up outside servers but you can’t ping them. For instance,
nslookup yourdomainserver
or
nslookup someoutsidedomain.com
work OK but pinging won’t.
The following might work
1. Go to device manager. Disable the NIC, enable again. If this works for a little bit but then problem again, consider replacing your NIC.
The following actions do NOT solve this problem:
IPConfig /FlushDNS
netsh interface tcp show global
to show
and then
netsh int tcp set global autotuninglevel=disabled
to change and
netsh int tcp set global autotuninglevel=nromal
to change back
3. net stop dnscache
followed by net start dnscache
4. netsh winsock reset catalog (which requires a restart afterwards)
DNS, set up from command line
netsh interface ip add dns name="NIC1" 192.168.0.123
netsh interface ip add dns name="NIC1" 192.168.0.124 index=2
DNS, split – see split DNS here
Documents and Settings directory, change to a different drive – Go to Start>Run>Regedit and browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList. On this entry you will see an entry on the right for %systemdrive%\Documents and Settings. You should be able to substitute %systemdrive% for whichever drive letter you want.
Make sure you create a Documents and Settings folder in the location you specify and that correct permissions are applied. You can also change that entire path to "Y:\TerminalS\Stuff\Documents and Settings" or whatever you want. If you browse the registry entries under ProfileList you will notice that is where information on each entry is kept. You may need to delete each entry for the users so their profile is created again at the new location.
Also, if you decided to move a profile from one place to the other to keep all settings, manually copy the folder then update the path in the ProfileImagePath entry for the profile, listed under the ProfileList.
Alternatively, using Vista, need to make a junction:
mklink /J “C:\Users\Bob User” “E:\Profiles\Bob User”
or you can make a junction under WindowsXP/Windows 2000. Junction is not part of these OS and must be downloaded.
Junction “C:\Documents and Settings\<original folder name>” “G:\Profiles\<original folder name>”
documents, remove record of most recently used - In Windows XP Professional, the Start menu contains a My Recent Documents folder that contains 15 of your recently used documents.
To remove the record of recently accessed documents:
Right-click Start, click Properties, and then click Customize.
Click the Advanced tab, and then click Clear List. If you're using the Classic Start menu, click Clear.
Clicking Clear List empties the My Recent Documents folder. It doesn’t delete the documents from your computer.
If you don’t want to include anything in the My Recent Documents folder:
On the Advanced tab, click Customize, and then clear the List my most recently opened documents check box.
In Windows XP Home Edition, My Recent Documents is not automatically listed on the Start menu. You can turn on this feature by right-clicking Start, clicking Properties, clicking Customize, and then selecting the List my most recently opened documents check box.
Also MRU-Blaster utility
domain, back up information to a file so you can restore – see Active Directory, back up info to a file
domain, back up to a mirrored server - create an additional domain controller by running dcpromo (an optional /adv switch is only necessary when you want to create a domain controller from restored backup files. It is not required when creating an additional domain controller over the network)
On the Domain Controller Type page, click Additional domain controller for an existing domain
On the Copying Domain Information page, click Over the network
If you get ‘The operation failed because: The attempt to join this computer to domain mydomain.com failed.’ “The specified user already exists”’ it’s probably because the server you’re trying to make into an additional domain controller already was listed as a domain controller on the domain controller you’re trying to replicate from. Assuming this new server was broken somehow and you’ve recreated it from the ground up, solve this by deleting this new domain controller (which at one time in the past was a valid alternate domain controller) from the list of domain controllers on the source domain controller.
domain controller, change – see FSMO roles, view and transfer from 2003 or Transferring FSMO Roles
domain controller, determine whether it’s set as a global catalog - see also global catalog servers, list
First way to check: make sure that the Domain Controller is set as a Global Catalog in Active Directory Sites and Services.
From the left side pane, expand Sites > Default-First-Site-Name > Servers
expand the server that you want to check whether it’s a Global Catalog and right Click its NTDS Settings then click on Properties. You should see its “Global Catalog” checked.
Another way to check: open group policy management console. This might be a bit more involved since the group policy management console is not installed by default for 2003 servers but must be downloaded and installed.
domain controllers, list of (including which one is primary domain controller)
this will list all the domain controllers and indicate which one is your primary domain controller
nltest /dclist:yourdomain
or this will just list your primary domain controller all by itself
nltest /dcname:yourdomain
Short command to find out all this stuff:
netdom query fsmo
should return something like:
Schema
master
yourmainserver.yourdomain.net
Domain naming
master yourmainserver.yourdomain.net
PDC
yourmainserver.yourdomain.net
RID pool manager
yourmainserver.yourdomain.net
Infrastructure master yourmainserver.yourdomain.net
The command completed successfully.
To change these, follow instructions here.
This will list DCs along with whether they have the global catalog role:
dsquery server -domain genetic-id.com | dsget server -isgc -dnsname
should return something like:
dnsname
isgc
ad2.yourdomain.com yes
AD1.yourdomain.com yes
ad3.yourdomain.com yes
ad0.yourdomain.com yes
dsget succeeded
domain, demote
When I ran
dcdiag /test:connectivity /s:myPDCserver.mydomain.net
I got:
Domain Controller Diagnosis
Performing initial setup:
[myPDCserver.mydomain.net] LDAP bind failed with error 8341
A directory service error has occurred
So I decide to demote:
dcpromo /forceremoval
When I re-run
dcdiag /test:connectivity /s:myPDCserver.mydomain.net
OK
domain demotion unsuccessful, remove data in Active Directory after – see here
domain diagnostics –
netdiag /fix (or all by itself without the /fix) for any member of a domain
dcdiag /fix (or all by itself without the /fix) and dcdiag /test:registerindns /dnsdomain:domain if this is a domain controller
gpotool
nltest /dclist:yourdomain
or, which domain does this machine belong to
nltest /dsgetsite
Domain Functional Level using PowerShell
Get-ADDomain | fl Name, DomainMode
domain, join -
First I tried the following from here:
netdom /domain:<domain name> /user:adminuser /password:apassword MEMBER MYCOMPUTER /JOINDOMAIN
returned
parameter domain was unexpected
this one
netdom add <computername> /domain:<domain name> /UserD:<domain admin> /PasswordD:<password>
succeeds in doing something, but it didn't really seem to add the machine to the domain because
nltest /dsgetsite
failed with
Getting DC name failed: status = 1919 0x77f ERROR_NO_SITENAME
This works
netdom join <computername> /domain:<domain name> /UserD:<domain admin> /PasswordD:<password>
If you get
The specified domain either does not exist or could not be contacted
then maybe look at your DNS.
Other things which you might try in powershell, try (from here)
Add-Computer
in powershell, try
net localgroup administrators /add <DomainName>\<UserName>
domain, rename – see Windows Server 2003 Active Directory Domain Rename Tools (a detailed, 81-page word document)
Before you do this, rename the computer name of the server itself which hosts the domain to its new domain name. Although they touch on this on page 14, they never actually mention renaming the computer name itself. Seems obvious in retrospect�
After you do this, download and install the Group Policy Management Console add in – especially if you get “Windows cannot bind to olddomain.com domain. (Local Error). Group Policy processing aborted.” (event ID 1006) errors every 5 minutes in the event viewer. Again, this is something I didn’t see addressed in pages 57-67.
domain, which domain does this machine belong to
nltest /dsgetsite
short version (NetBIOS)
nbtstat -n
Forest Functional Level using PowerShell
Get-ADForest | fl Name, ForestMode
FrsEvent, failed test – you might see this when running dcdiag
This puts some info to a file. What to do with it? Not sure.
ntfrsutl ds > somefile.txt
try testing DNS:
Dcdiag /test:DNS
FSMO roles, view and transfer from 2003 (from here)
Short command to find out all this stuff:
netdom query fsmo
should return something like:
Schema master yourmainserver.yourdomain.net
Domain naming master yourmainserver.yourdomain.net
PDC yourmainserver.yourdomain.net
RID pool manager yourmainserver.yourdomain.net
Infrastructure master yourmainserver.yourdomain.net
The command completed successfully.
Transfer the Schema Master Role
Use the Active Directory Schema Master snap-in to transfer the schema master role. Before you can use this snap-in, you must register the Schmmgmt.dll file.
Register Schmmgmt.dll
Click Start, and then click Run.
Type regsvr32 schmmgmt.dll in the Open box, and then click OK.
Click OK when you receive the message that the operation succeeded.
Transfer the Schema Master Role
Click Start, click Run, type mmc in the Open box, and then click OK.
On the File, menu click Add/Remove Snap-in.
Click Add.
Click Active Directory Schema, click Add, click Close, and then click OK.
In the console tree, right-click Active Directory Schema, and then click Change Domain Controller.
Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK.
In the console tree, right-click Active Directory Schema, and then click Operations Master.
Click Change.
Click OK to confirm that you want to transfer the role, and then click Close.
Transfer the Domain Naming Master Role
Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.
Right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller.
NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.
Do one of the following:
In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
-or-
In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master.
Click Change.
Click OK to confirm that you want to transfer the role, and then click Close.
Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
Right-click Active Directory Users and Computers, and then click Connect to Domain Controller.
NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.
Do one of the following:
Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
or-
n the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master.
Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure), and then click Change.
Click OK to confirm that you want to transfer the role, and then click Close.
fully qualified domain name, can’t resolve – try
netsh int ip reset reset.log.
You’ll need to reboot and then reset your network settings. This may or
may not help.
global catalog servers, list -
from PowerShell prompt:
Get-ADForest yourdomain.com | FL GlobalCatalogs
should return something like:
GlobalCatalogs : {ad2.yourdomain.com, od1.subdomain.colo, od2.subdomain.colo, AD1.yourdomain...}
or, from command prompt:
nslookup gc._msdcs.%USERDNSDOMAIN%
should return something like:
Addresses: 192.168.0.11
192.168.0.10
192.168.0.13
192.168.0.15
which, unfortunately, does not include the server names
or, from the command prompt
nslookup
Set the type to server.
>set type=srv
Find the Global Catalog Server(s).
>_gc._tcp.<DnsForestName>
Example:
>_gc._tcp.yourdomain.com
This will list a bunch of stuff:
Server: ad1.yourdomain.com
Address: 192.168.0.11
_gc._tcp.yourdomain.com SRV service location:
priority = 0
weight = 100
port = 3268
svr hostname = bk3.subdomain.colo
_gc._tcp.yourdomain.com SRV service location:
priority = 0
weight = 100
port = 3268
svr hostname = ad3.yourdomain.com
bk3.subdomain.colo internet address = 192.168.100.172
ad3.yourdomain.com internet address = 192.168.0.18
to me, this last listing is better than the 1st two
or, from command prompt:
dsquery server -domain yourdomain.com | dsget server -isgc -dnsname
this lists all your domain controllers along with the isgc
dnsname
isgc
ad2.yourdomain.com yes
AD1.yourdomain.com yes
ad3.yourdomain.com yes
ad0.yourdomain.com yes
dsget succeeded
group policies, compare to each other - see policy analyzer tool
group policy editor (local) (not to be confused with the more global Active Directory group policy management console) - immediately below - see also Advanced Group Policy Management (AGPM)
gpedit.msc
which brings up the GUI
To instead see the results displayed in the command console
gpresult /R
group policies with at least one link
Group Policy Management → Forest → Domains → your domain → right-click → Search… → this action will bring up the Search for Group Policy Objects dialog box.
Click on the Search Item dropdown and select the GPO-links. This search item will search for GPOs that are linked to an OU. Change the Condition dropdown to be Exist In and the domain to be your domain.
When you’re complete, click on Add to add the criteria. It will show up under the All search criteria section.
group policy management console (for all of active directory) (not to be confused with the complementary local group policy management editor) immediately above
to run:
gpmc.msc
On older systems, it's not automatically installed. And even on newer systems, I usually have to install RSAT first before it's available.
group policy problem
Windows cannot bind to yourcompany.com domain. (Local Error). Group Policy processing aborted. – try (from here):
PDCe points to himself and himself only for DNS
replica DCs point to PDC for preferred, themselves as alternates (for simple standardization)
clients in site with PDCe point to PDCe for preferred DNS, and replicas as alternates
clients in remote sites point to their local DC for DNS, and other DCs as alter
Search through registry for yourcompany.com entries.
Once you think you’ve fixed everything, then run: gpupdate /force and look in the event viewer to see if you really fixed anything. gpresult might also yield clues.
What finally cleared it for me was by downloading and installing the Group Policy Management Console add in. Once I did that, a bad Group Policy object stood out under my domain. I deleted it and created a new one and finally the problem went away.
Other hints at EventID.net
Group Policy Object Editor from Active Directory Users and Computers
- Open Active Directory Users and Computers
- In the console tree, right-click the domain or organizational unit for which you want to set Group Policy
- Click Properties, and then click the Group Policy tab
- Do one of the following:
- To edit an existing Group Policy object, click the Group Policy object in the list, and then click Edit.
- To create a new Group Policy object, click New, type a name for the new Group Policy object, and then click Edit.
Group Policy problem network connectivity – “ The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.” – event ID 1129 – even though you can ping the domain server
First, verify problem by running the following command at the command line
gpupdate
You might the same problem. But you might also get a generic:
Refreshing policy...
User Policy Refresh has completed
Computer Policy Refresh has completed.
To check for errors in policy processing, review the event log.
Run
netdiag
or
dcdiag
Pay particular attention to the DNS test. Once, I ran netdiag on the problem machine and saw:
DNS test . . . . . . . . . . . . : Failed
[WARNING] The DNS entries for the
DC are not registered correctly on DNS server �192.168.0.1’ and other DCs also
have some of the names registered.
[WARNING] The DNS entries for the
DC are not registered correctly on DNS server �192.168.0.1’ and other DCs also
have some of the names registered.
[FATAL] No DNS servers have the DNS records for this DC registered
on the problem server. But on another server (which was not having problems) I found no problems whatsoever
DNS test . . . . . . . . . . . . : Passed
PASS – All the DNS entries for the
DC are registered on DNS server �192.168.0.1’. Please wait 30 minutes for
DNS server replication.
PASS – All the DNS entries for the
DC are registered on DNS server �192.168.0.2’ and other DCs also have some of
the names registered.
So that was curious. Running
netdiag /fix
did not fix this problem.
Follow it up with
dcdiag /test:connectivity /s:myPDCserver.mydomain.net
I got:
Domain Controller Diagnosis
Performing initial setup:
[myPDCserver.mydomain.net] LDAP bind failed with error 8341
A directory service error has occurred
Determine which DC in your domain computers are looking to as the PDC (Primary Domain Controller)
nltest /dcname:yourdomain
Check to see whether your PDC – as determined from the step above – is set as a Global Catalog (see domain controller, determine whether it’s set as a global catalog) - see also global catalog servers, list
Then try:
nltest /sc_query:yourdomain
or, more specifically
nltest /server:servername /sc_query:yourdomain
If no problems, you should get something like:
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\yourPDC.yourdomain.net
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
If problems:
Flags: 0
Trusted DC Name
Trusted DC Connection Status Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully
Then try (from an elevated administrator command prompt):
nltest /sc_verify:yourdomain
If no problems, you should get something like:
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\yourPDC.yourdomain.net
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully
If problems:
Flags: 80
Trusted DC Name
Trusted DC Connection Status Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
Trust Verification Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
The command completed successfully
If that returns success, run
nltest /sc_reset:yourdomain
should return something like
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\yourPDC.yourdomain.net
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
To determine the cause of trust relationship problems
1. Log on with a local account.
2. Set Net Logon flags by using the Nltest tool as follows:
nltest /dbflag:0x2000ffff
3. Run nltest as follows:
nltest /sc_reset:yourdomain
The % windir %\debug\netlogon.log explains why the secure channel setup is not possible. One possible reason is that SYSVOL isn't ready on the computer. By examining the Netlogon.log file, you can find the following error:
08/30 10:15:19 [MAILSLOT] Returning paused to 'Reskit1' since: SysVol not ready
In order for the directory service to consider itself synchronized, it must attempt an initial synchronization with at least one replica of this server's writeable domain. (in DCDIAG results)
repadmin /showreps
for XP, Win 2000, Windows 7 - “ipconfig /all” from DOS window
for Win9x - type “winipcfg” from “start/run” command” line - only works in Win9x, not XP or Win2000
winipcfg for XP - see utilities, Doug Knox or Microsoft's site
netsh interface ip show config
IP address, configure from command line
netsh interface ip show config
The following command configures the interface named Local Area Connection with the static IP address 192.168.0.100, the subnet mask of 255.255.255.0, and a default gateway of 192.168.0.1:
netsh interface ip set address id=Local Area Connection static 192.168.0.100 255.255.255.0 192.168.0.1 1
more here
to set up DNS
netsh interface ip add dns name="NIC1" 192.168.0.123
netsh interface ip add dns name="NIC1" 192.168.0.124 index=2
KDC (Key Distribution Center) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate (event ID 29)
You could start by running
certutil -dcinfo verify
from a command line which should return a list of certificate details for all your domain controllers.
Or for a GUI format, run pkiview.msc
Microsoft suggested barging ahead and removing certificates willy-nilly before verifying using the “certutil -dcinfo verify” at the end of their article. But I tried that command at the beginning and nothing seemed amiss. So why would I delete them if nothing’s wrong?
One thing I did notice was when I went into Server Manager/Active Directory Certificate Services/Certificate Templates that it said they were all bad and gave me a choice to fix. So I did.
“Kerberos client received a KRB_AP_ERR_MODIFIED error from the server MYPC$. The target name used was cifs/MYPC.yourdomain.net. This indicates that the target server failed to decrypt the ticket provided by the client.” – event ID 4 coupled with “The session setup from the computer MYPC failed to authenticate. The name(s) of the account(s) referenced in the security database is MYPC$. The following error occurred: Access is denied.” – event ID 5722
This only appears for one client in the domain. I tried lots of things
nltest /sc_query:yourdomain
from the client results in
Flags: 0
Trusted DC Name
Trusted DC Connection Status Status = 5 0x5
ERROR_ACCESS_DENIED
The command completed successfully
So obviously something’s wrong. And only with this client; other clients return
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\2ndof2servers.yourdomain.net
Trusted DC Connection Status Status = 0 0x0
NERR_Success
The command completed successfully
With no problem. So what’s wrong? I try a specific domain server:
nltest /sc_query:yourdomain /server:1stof2servers
from the client results in
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\2ndof2servers.yourdomain.net
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
Huh? If I specify a server, it’s happy? But if I specify another domain server (which is actually the PDC)
nltest /sc_query:yourdomain /server:2ndof2servers
from the client I get
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
So it’s OK with one server but not the other. Strange and inexplicable, but I get the same result from any other, normal client on the network. So this was not much help.
Creating a new SID on the client machine using NewSID.exe failed with “NewSID was unable to change the computer’s SID”
Reset the machine account in ADUC GUI on the domain server did nothing. Only later did I find out that “You cannot change the machine account password by using the Active Directory Users and Computers snap-in, but you can reset the password by using the Netdom.exe tool.”
Use the Netdom.exe tool to reset the account password
The Netdom.exe tool resets the account password on the computer locally (known as a "local secret") and writes this change to the computer's computer account object on a Windows domain controller that resides in the same domain. Simultaneously writing the new password to both places ensures that at least the two computers involved in the operation are synchronized, and starts Active Directory replication so that other domain controllers receive the change.
You must run the tool locally, from the Windows-based computer whose password you want to change. Additionally, you must have administrative permissions locally and on the computer account's object in Active Directory to run Netdom.exe.
Remove the Kerberos ticket cache on the domain controller (or local PC?) where you receive the errors.
klist
To show the cache. I notice I see other PCs trying to connect to my little client. Can’t figure out why. It’s not as if I’m running this on a domain controller. Anyway, I proceed to purge.
Klist purge
To purge. Then
netdom resetpwd /s:myserver /ud:mydomain\administrator /pd:*
where “server2” in this case is the domain server and “administrator” is the user who has rights. �Course, this didn’t work �cause netdom is deprecated in Windows 7!
C:\>netdom resetpwd /s:myserver /ud:mydomain\administrator /pd:*
'netdom' is not recognized as an internal or external command,
operable program or batch file.
So let’s try one if its replacements:
Test-ComputerSecureChannel -repair
Which I have to run in PowerShell instead of a DOS window. Well that didn’t go so well
PS C:\Users\carol> Test-ComputerSecureChannel -repair
Test-ComputerSecureChannel : This command cannot be
executed on target computer('MYPC') due to following error: Access is denied.
At line:1 char:27
+ Test-ComputerSecureChannel <<<< -repair
+
CategoryInfo :
InvalidOperation: (MYPC:String) [Test-ComputerSecureChannel],
InvalidOperationException
+ FullyQualifiedErrorId :
InvalidOperationException,Microsoft.PowerShell.Commands.TestComputerSecureChannelCommand
Even though I was running as administrator. This seems to work inconsistently on different machines. On one machine where I don’t have any problems, I started PowerShell as administrator. Or at least I thought I did. But there was no hesitation and blacked out screen asking if I really wanted to run this. And it failed. Next time I tried on that same machine, it did hesitate and ask me if I really wanted to run and the command worked:
PS C:\Windows\system32> Test-ComputerSecureChannel -repair
True
But on the problem PC, PowerShell always came up right away without that hesitation and asking if I really wanted to run no matter how many times I tried to run as administrator. And it always came up with the same error message. Even if I log on as an administrator, same result. However for both machines when I try
PS C:\Windows\system32> Test-ComputerSecureChannel -confirm
I get
Confirm
Are you sure you want to perform this action?
Performing operation
"Test-ComputerSecureChannel" on Target "MYPC".
[Y] Yes [A] Yes to All [N] No [L]
No to All [S] Suspend [?] Help (default is "Y"): y
True
The last thing I tried is probably the first thing I should have tried: simply remove the PC from the domain and then add it back again. �Course, for this to work, you need to activate the invisible local administrator ID and know its password.
Key Distribution Center (KDC) cannot find a suitable certificate – see KDC (Key Distribution Center) cannot find a suitable certificate
local group polity – see group policy editor (local)
gpedit.msc
secpol.msc
lusrmgr.msc
multiple accounts with name [email protected] of type DS_USER_PRINCIPAL_NAME – try
ldifde –f check_UPN.txt –d “dc=yourdomain,dc=net”et”
or
ldifde –f check_UPN.txt –t 3268 –d “” –l userPrincipalName –r “[email protected]” –p subtree
"Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again." – especially when trying to join a PC to a domain
best: disconnect the Ethernet cable, reboot, stick the cable in and try again
not so good: from a command prompt, type: net
use * /del –this
isn’t enough. But it does seem to find and kill some
connections. This command removes any mappings/connections that were
statically made on the workstation to the server. Use login scripts to map
drives, including /persistent:no at the end of the net use command, so they
won't be cached.
name of the computer you're on - see also rename computer
hostname
name of the domain you're on -
systeminfo | findstr /B /C:Domain
or, of course, just
systeminfo
and look for the domain name
name servers (DNS ), see IP Address, find
Displays the names registered locally by NetBIOS applications such as the server and redirector. The output of this is a little strange. Once, I was looking for duplicate IPs. I ran the above command per the error message’s suggestion
nbtstat -n
and got:
Local Area Connection 2:
Node IpAddress: [192.168.254.206] Scope Id: []
NetBIOS Local Name Table
Name
Type Status
------------------------------------
MAIL3 <00> UNIQUE Registered
MYDOMAIN <00> GROUP Registered
MYDOMAIN <1C> GROUP Registered
MAIL3 <20> UNIQUE Registered
Local Area Connection:
Node IpAddress: [192.168.254.6] Scope Id: []
NetBIOS Local Name Table
Name
Type Status
------------------------------------
MAIL3 <00> UNIQUE Registered
MYDOMAIN <00> GROUP Registered
MYDOMAIN <1C> GROUP Registered
MAIL3 <20> UNIQUE Registered
Other variants on this command are
nbtstat -r
Which gives similar output
NetBIOS Names Resolution and Registration Statistics
----------------------------------------------------
Resolved By Broadcast = 1860
Resolved By Name Server = 0
Registered By Broadcast = 8
Registered By Name Server = 0
NetBIOS Names Resolved By Broadcast
---------------------------------------
TIMBXP <00>
THEZDRIVE
THEZDRIVE
BRAD-PC <00>
TIMBXP <00>
TANNER-WIN7 <00>
THEZDRIVE
THEZDRIVE
As you can see, there are at least a couple apparent duplicates. So I focus on 000000C55FBE. I pinged, and it resolved to
Pinging TIMBXP [192.168.0.90] with 32 bytes of data:
Reply from 192.168.0.90: bytes=32 time=1ms TTL=64
I recognize it as a PC and unplug its Ethernet, and run “nbtstat -n” again and get the same thing! So it appears to simply hold a stash of recently resolved requests. Whether or not the devices are still present seems irrelevant. Also, just �cause you see an entry there twice doesn’t mean there really are two such or any duplicate. It probably means the same device made 2 inquires recently.
Then there’s
nbtstat -c
option shows the contents of the NetBIOS name cache, which
contains NetBIOS name-to-IP address mappings. It gives something like this:
Local Area Connection 2:
Node IpAddress: [192.168.0.206] Scope Id: []
NetBIOS Remote Cache Name Table
Name
Type Host Address Life [sec]
-----------------------------------------------------
BRAD-PC <00> UNIQUE
192.168.0.41 370
TANNER-WIN7
<00> UNIQUE
192.168.0.52 232
TIMBXP
<00> UNIQUE
192.168.0.74 325
Local Area Connection:
Node IpAddress: [192.168.0.6] Scope Id: []
No names in cache
Then
nbtstat -s
and
nbtstat -S
are supposed to give different results. “s” is supposed to list the NetBIOS sessions table converting destination IP addresses to computer NetBIOS names whereas “S” is supposed to list the current NetBIOS sessions and their status, with the IP address. But they both yield
Local Area Connection 2:
Node IpAddress: [192.168.0.206] Scope Id: []
No Connections
Local Area Connection:
Node IpAddress: [192.168.0.6] Scope Id: []
No Connections
so not sure about the supposed difference
netdiag – command-line diagnostic tool helps to isolate networking and connectivity problems by performing a series of tests to determine the state of your network; a client support tool part of Windows Server 2003. On disk 1, go to \support\tools\, Double click the suptools.msi
can also run netdiag /fix
netdiag hangs – use the “-v” option for verbose to find out where it dies
network - see IP Address, Find
start, run, command,
netsh
At the netsh prompt, type
netsh> diag
and press enter (must be something else; “command not found”). Type gui and press enter.
See IP address, find
ntdsutil.exe to transfer or seize FSMO roles to a domain controller.
Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being transferred. Recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
Well, I wanted to transfer some roles from a 2003 server to a 2008. But since this dang command below doesn’t even work on 2008, I was forced to try it on 2003.
Click Start, click Run, type ntdsutil in the Open box, and
then click OK. This worked OK. Brought up a nice
“C:\WINDOWS\system32\ntdsutil.exe:” prompt.
Type roles, and then press ENTER. So far, so good. Brings up “fsmo maintenance:” prompt.
Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?, and then press ENTER.
Type connections, and then press ENTER. Still OK. Brings up “server connections:” prompt.
Type
connect to server servername
and then press ENTER, where servername is the name of the domain controller you want to assign the FSMO role to. Well this is where it came to a screeching halt. I got
Binding to servername2�
Ldap_bind_sW failed with 0x51(81 (Server Down).
Even though the server wasn’t really down. But when I tried another server:
server connections: connect to server servername3
I got:
Disconnecting from server1...
Binding to server3
Connected to server3 using credentials of locally logged on user.
server connections:
At the server connections prompt, type q, and then press ENTER.
Type transfer role,
where role is the role that you want to transfer. For a list of roles that you
can transfer, type ? at the fsmo maintenance prompt, and then press
ENTER, or see the list of roles at the start of this article. For example, to
transfer the RID master role, type transfer rid master. The one exception
is for the PDC emulator role, whose syntax is transfer pdc, not transfer
pdc emulator.
At the fsmo maintenance prompt, type q, and then press ENTER to gain access to
the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
password complexity, enable/disable password must meeet complexity requirements
Group Policy Management (gpmc.msc) → find your domain there → right click Default Domain Policy → edit (brings up a new window) → Computer Configuration → Windows Settings → Security Settings → Account Policies → Password Policy
policy analyzer tool - see also Advanced Group Policy Management (AGPM)
Compare two (or more) group policies. Export group policies by backing them up from Group Policy Manager (GPM). Each policy you back up gets a whole directory named by some sort of a GUID. But that GUID has no relationship to the policy's GUID. Rather, I think these GUIDs come somehow from how each is stored in GPM
author Arnaud Loos' Introduction to Microsoft Policy Analyzer
download - this Microsoft Security Compliance Toolkit 1.0 offers 6 different components to download. All we care about is PolicyAnalyzer.zip and ignore the other 5.
recycle bin - Tools → Active Directory Administrative Center or
dsac.exe
Navigate to "yourDomain(local)" → Deleted Objects
netdom renamecomputer WIN-IAKDINN28SU /newname:HV0
RSAT (Remote Server Administration Tools)
For Windows 10 version 1903 and later, need to go to Deploy RSAT (Remote Server Administration Tools) for Windows 10 v1903 using SCCM (System Center Configuration Manager) and Powershell and run Install-RSATv1809v1903.ps1 (download)
secure channel, change - see trust, change secure channel
time, where is a server in the domain getting its from?
From a command line
nltest /dsgetdc:yourdomain /timeserv
should return something like
DC: \\MYPRIMARYDC
Address: \\192.168.0.1
Dom Guid: 6fac954e-21ad-4404-bd04-91ee5f82f02a
Dom Name: yourdomain
Forest Name: yourdomain.net
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: PDC
GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS
The command completed successfully
The result indicates that my client is getting its time from MYPRIMARYDC. Or at least should be. This command doesn’t guarantee that MYPRIMARYDC is up or reachable. For that I can use a different NLTEST command
nltest /server:MYPRIMARYDC /query
should return something like
Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully
To make sure it’s working, from a command line
w32tm /monitor
should return something like
MYPRIMARYDC.yourdomain.com[192.168.0.1:123]:
ICMP: 0ms delay
NTP: +0.0005605s offset from yourserver.yourdomain.com
RefID: ntp1.usno.navy.mil [192.5.41.41]
Stratum: 2
And it might list more than just the one server if you have
multiple domain servers. The PDC should look outside (ntp1.usno.navy.mil
in the case above), the other DCs should look to the PDC.
To find out the method – whether it looks to your
domain controller or outside on its own – look in:
HKLM\System\CurrentControlSet\Services\W32Time\Parameters\Type
If Type is set to Nt5DS
then the member machine should be checking with the domain
controller for its time. If Type is set to NTP it will be
checking on its own.You can also find this setting from command line:
w32tm /dumpreg /subkey:parameters
to get something like
Value
Name
Value Type Value Data
------------------------------------------------------------
ServiceDll
REG_EXPAND_SZ
%systemroot%\system32\w32time.dll
ServiceMain
REG_SZ
SvchostEntry_W32Time
ServiceDllUnloadOnStop
REG_DWORD 1
Type
REG_SZ
NT5DSNtpServer
REG_SZ
time.windows.com,0x9
Or perhaps:
reg query hklm\System\CurrentControlSet\services\W32Time\Parameters
to get something like
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\W32Time\Parameters
ServiceDll REG_EXPAND_SZ %systemroot%\system32\w32time.dll
ServiceMain REG_SZ SvchostEntry_W32Time
ServiceDllUnloadOnStop REG_DWORD 0x1
Type REG_SZ NT5DS
NtpServer REG_SZ time.windows.com,0x9
Or just:
reg query hklm\System\CurrentControlSet\services\W32Time\Parameters /v ntpserver
to get something like
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\W32Time\Parameters
NtpServer
REG_SZ time.windows.com,0x9
To just get which server the domain controller is using. Notice in the example above, it’s looking outside to time.windows.com. If this is your PDC and it’s not looking outside, then you want to make sure it’s looking outside somewhere to get the right time:
w32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:yes /update
As an aside, you
can open up group policy editor (gpedit.msc) and go to Computer
Configuration\Administrative Templates\System\Windows Time Service\Time
Providers where you’ll see how to configure Windows NTP settings. But
recall that, if you’re in a domain, you probably want to use NT5DS rather than
NTP. So, if everything’s “not configured”, probably want to leave it that
way.
time, manually set domain client computers’
– NET TIME /DOMAIN: /SET
time server, set primary domain controller to look outside – from here
in Registry editor:
HKLM\System\CurrentControlSet\Services\W32Time\Parameters\Type
Set this Value
to NTP; all other
“lesser” domain controllers should be set to Nt5DS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
In the right pane, right-click AnnounceFlags, and then click Modify.
In Edit DWORD Value, type 5 in the Value data box, and then click OK
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
In the right pane, right-click NtpServer, and then click Modify.
In Edit Value, type Peers in the Value data box, and then click OK.
Note Peers is a placeholder for a
space-delimited list of peers from which your computer obtains time stamps.
Each DNS name that is listed must be unique. You must append ,0x1 to the end of
each DNS name. If you do not append ,0x1 to the end of each DNS name, the changes will not
take effect.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollIntervaleFlags
In the right pane, right-click SpecialPollInterval, and then click Modify.
In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
Note TimeInSeconds is a placeholder for the number of seconds that you want between each poll. A recommended value is 900 Decimal. This value configures the Time Server to poll every 15 minutes.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection
In the right pane, right-click MaxPosPhaseCorrection, and then click Modify.
In Edit DWORD Value, click to select Decimal in the Base box.
In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection
In the right pane, right-click MaxNegPhaseCorrection, and then click Modify.
In Edit DWORD Value, click to select Decimal in the Base box.
In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source.
at the command prompt
net stop w32time && net start w32time
time server, how far out of sync are various domain servers from the primary domain controller
C:\>w32tm /monitor
“Time service has not synchronized the system time” error (event ID 36)
What happens if you get event ID 36? It might say something like, “The time service has not synchronized the system time for 86400 seconds because none of the time service providers provided a usable time stamp. The time service will not update the local system time until it is able to synchronize with a time source. If the local system is configured to act as a time server for clients, it will stop advertising as a time source to clients. The time service will continue to retry and sync time with its time sources. Check system event log for other W32time events for more details”. You might try:
w32tm /resync
to force an instant time synchronization If you get
Sending resync command to local computer
The computer did not resync because no time data was available.
Then problems.
w32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:yes /update
If this is not your PDC but instead a client, then you can try
PS C:\Users\administrator.YOURDOMAIN> w32tm /config /syncfromflags:domhier /reliable:yes /update
The command completed successfully.
to configure a client computer for automatic domain time synchronization
trust, change secure channel –
nltest /sc_reset: <
DomainName> [\<DcName>] - Reset secure channel for <Domain> on
<ServerName> to <DcName> - no space between the DomainName and the
“\DcName”
“ Windows cannot obtain the domain controller name for your computer network userenv error (An unexpected network error occurred. ). Group Policy processing aborted.”
Error:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1054
Date: 30/03/2009
Time: 14:14:20
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Windows cannot obtain the domain controller name for your computer network. (An
unexpected network error occurred. ). Group Policy processing aborted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp
Solution:
Create a registry file with the following code (userenvfix.reg):
Windows
Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“GpNetworkStartTimeoutPolicyValue”=dword:0000003c
“GroupPolicyMinTransferRate”=dword:00000000
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“GroupPolicyMinTransferRate”=dword:00000000
Run userenvfix.reg to import the changes in the registry and restart the server.
Explanation
A network connectivity or configuration problem exists. Group Policy settings cannot be applied until the problem is fixed.
User Action
To troubleshoot the network connectivity or configuration problem, try one or all of the following:
- In Event Viewer, click System, and check for any networking-related messages, such as Netlogon messages, that indicate a network connectivity issue.
- At the command prompt, type netdiag, and note any errors. Those errors usually have to be resolved before Group Policy processing can continue.
- At the command prompt, type gpupdate, and then check Event Viewer to see if the Userenv 1054 event is logged again.
- To verify that the domain controller can be contacted through Domain Name System (DNS), try to access \\mydomain.com\sysvol\mydomain.com, where mydomain.com is the fully qualified DNS name of your domain.
- Verify that you can access the domain controller by using tools such as the Active Directory Users and Computers snap-in.
- Check to see whether other computers on your network are having the same problem.
- If this computer is a part of a cross-forest domain, verify that the forest for the user account is currently available and can be contacted by the computer on which the Group Policy processing failed.
Windows cannot change the password – see password, Windows cannot change, User Accounts, more settings and then click Reset Password...
“Windows cannot bind to yourcompany.com domain. (Local Error). Group Policy processing aborted” – UserEnv event ID # 1006 see Group Policy problem
“Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear contact your System Administrator for assistance.”
This error is
received even though the computer account for the workstation and user account
for the user both exist.
This or error may appear when a PC is
replaced with another computer with the same computer name without first
deleting the duplicate computer name from the Active Directory domain before
joining the new workstation to the domain with the same duplicate name.
The funny part is that the symptom may
either appear immediately at the first try, or even after a few successful
logons.
The cause of the error is usually
related to security identifier (SID) issues. Another possible cause for the
error is that the computer account for the workstation was accidentally deleted
from the Active Directory domain.
Another common cause for the error is
using Norton Ghost or any other similar disk cloning software. This happens
when the administrator has cloned one XP machine and reproduced it to many
other new computers without first using and running Microsoft's SYSPREP utility
(read more on that in a different article).
The resolution to the above error is:
- Login to the Windows Server 2003 Domain Controller, open DSA.MSC (Active Directory Users and Computers) and delete the computer account object from the domain.
- Login to the Windows XP workstation as a local administrator. If you cannot logon as local administrator, try to disconnect the network cable and login to the computer by using a domain administrator user that was used to logon on the PC before. This will be made possible because of the cached logon credentials feature that remembers the last 10 successful logons.
- Go to Control Panel, then click on System icon, then go to Computer Name tab. You can also do this by right-clicking My Computer, and then Properties or by pressing the Windows logo key я and Break.
- Remove the computer from the domain by clicking on “Change”. You should see that Domain button is now selected. Remember your domain name in the text box. Select the “Workgroup” radio button to remove the computer from the domain, and put any workgroup name in the text box (e.g. workgroup).
- Click OK to exit and reboot the computer.
- After the computer restarts, go back to Control Panel > System > Computer Name tab, and click Change.
- Rejoin the domain by chocking the Domain button. Enter the domain name noted in step 4.
- You might be prompter to enter the credentials of one of the Domain Admin users. This can be bypassed if one of the Domain Admins manually creates a computer account in Active Directory Users and Computers for the workstation you're about to join.
- Click OK to exit.
- Reboot the PC.
29 Event ID – see KDC (Key Distribution Center) cannot find a suitable certificate
36 Event ID – “Time service has not synchronized the system time for 86400 seconds because none of the time service providers provided a usable time stamp” – see Time service has not synchronized the system time
4319 Event ID – “A duplicate name has been detected on the TCP network. The IP address of the computer that sent the message is in the data. Use
nbtstat -n
in a command window to see which name is in the Conflict state.” – see duplicate name has been detected on the TCP network, nbtstat. So far, I’ve found that command to be completely worthless to solve this problem. According to here, There could be several reasons