Error: DCDIAG report “Invalid service startup type: NtFrs”

On a new Windows 2012 R2 Domain Controller on a 2008 forest level with SYSVOL already migrated to DFS, I had this error running DCDIAG:

Starting test: Services
Invalid service startup type: NtFrs on DCO01, current value
DISABLED, expected value AUTO_START
NtFrs Service is stopped on [DCO01]

Starting test: VerifyReferences
Some objects relating to the DC DCO01 have problems:
[1] Problem: Missing Expected Value
Base Object:
CN=DCO01,OU=Domain Controllers,DC=mydomain,DC=local
Base Object Description: “DC Account Object”
Value Object Attribute Name: frsComputerReferenceBL
Value Object Description: “SYSVOL FRS Member Object”
Recommended Action: See Knowledge Base Article: Q312862
……………………. DCO01 failed test VerifyReferences

Every thing is working fine (at least on my DC), it’s only an incorrect error detection from DCDIAG:

On the DC with this issue I had DCDIAG.EXE version 6.3.9600.16384
Updating it with KB2919355 the DCDIAG version jumped to 6.3.9600.17031


ERROR: dcdiag warning on userAccountControl

On a new build-up DC, running dcdiag I found this problem:

Starting test: MachineAccount
Warning:  Attribute userAccountControl of myDC is:
Typical setting for a DC is
This may be affecting replication?

Using ADUC with “Advanced Features” enabled, on “Attributes Editor” you can change userAccountControl for your DC’s Computer Object

UserAccountControl values:
Typical user : 0x200 (512)
Domain controller : 0x82000 (532480)
Workstation/server: 0x1000 (4096)


How to Find which DC is pruning your printer queues

When you publishing printer queues on Active Directory, by default the printer spooler save the shared printers info as object inside the printserver computer object.

On DC (generally the site DC of the printserver) by default is running a printers pruning; this job check if the printserver is reachable and if the printer is still shared and if not, delete the printQueue object from AD.

  • Printserver publish by default the printers only at startup (if you what to force the printer publishing just restart the printspooler service)
    This Setting is managed by “Computer Configuration / Administrative Templates / Printers / Check Published State”
  • Dc try to contact the prinserver/printer for 3 time every 8 hours. If for 3 time the prinserver/printer is not reachable then will be unpublished.
    This Setting is managed by “Computer Configuration / Administrative Templates / Printers / Allow Pruning of Published Printers”, “Directory Pruning Interval”, “Directory Pruning Retry”
“The Print Pruner is a thread that runs under the spooler context on all DCs. It
uses ADSI calls ( ADsGetObject, IID_IDirectorySearch->ExecuteSearch) to get the
list of all the printQueue servers in the AD.
To check whether the server is in same site it uses Winsock call (gethostbyname)
and other net APIs (DsAddressToSiteNames,DsGetDcSiteCoverage).
To check if the print queue\print server availability it uses OS APIs
(NetServerGetInfo, OpenPrinter,GetPrinter).
So all the work by pruner is done using ADSI, WinSock and OS functions.”


Can happen that for some firewall/network misconfiguration, a DC start to pruning some/every published print queues on regular basis. To find which DC is making too much cleaning, we first try to find the deleted printQueue object:

Find deleted Object

  1. Run ldp.exe as Domain Admin.
  2. On “Connection” menu click “Connect”. You can leave the server name black to connect to the DC on your site.
  3. On “Connection” menu click “Bind”
  4. On “Browse” menu click “Search”. Select the “Base DN” of the domain where you want to retrive tombstones. In “Filter” box use filter “(objectclass=printQueue)”. Under “Scope” select “Subtree”. Click “Options” and under “Search Call Type” select “Extended”. Then add “1.2.840.113556.1.4.417” on “Active Controls” using “Check in”.
  5. Close “Search Options” and on “Search” dialog box, click “Run”
  6. On results, find your deleted printer and copy the CN of the deleted printQueue:



Find origin of change

Then using repadmin you can find from where this object was updated:

repadmin /showobjmeta [myDC] [CN of object]




How to solve Know Issue on MS16-072

Microsoft release MS16-072: Security update for Group Policy: June 14, 2016

MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer’s security context.

The issue was that all user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

  • Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
  • If you are using security filtering, add the Domain Computers group with read permission.


Doing that manually it’s a nightmare… but powershell can help. With this script you can deploy ‘Read’ permission for “Authenticated Users” on all GPOs or only where needed because “Domain Computers” group with ‘read’ permission and/or it’s a “Per-User Setting” GPO. If you what to be restrictive, enable -checkDomainComputer and -checkPerUserSetting.


How to send email to users with approacing password expiration

I created and scheduled a script for send email when the user password expiration is approaching.

We are on a international company, so this script have an option to specify a file where the mail body is written in the appropriate language and with the appropriate info.

Here the parameters of Send-PasswordNotify.ps1:

  • notificationGroup: it’s the Active Directory group the have the users that should receive the password expiry notification.
  • emailBodyFile: the text file that contain the body of email (the default option is mailbox.txt).
  • logFile: This is a Boolean option. If $True a log file (Send-PasswordNotify.log) is created. By default is $False. You can change the path of logfile at line 51
  • eventLog: This is a Boolean option. If $True an entry on eventlog (Scripts) is written. By default is $True.
    NOTE: You should enable/create the eventlog running this command once:

    New-EventLog -LogName "Scripts" -Source Send-PasswordNotify

    You can change the eventlog where send the info atn line 49. If you change the eventlog, remember also to enable it for this script with the command above. Example: New-EventLog -LogName “Application” -Source Send-PasswordNotify

On Send-PasswordNotify.ps1 at lines 43-51 you can fine the parameters that you can adjust, like days before the expiration, smtp server, etc.

Copy Send-PasswordNotify.ps1 and mailbox.txt on the same folder.


Error:The DFS Replication service detected a conflict between two or more nTDSConnection objects while polling for configuration information

I had this warning on a bad wan connected DC:

Log Name: DFS Replication
Source: DFSR
Date: 30/03/2016 02:27:44
Event ID: 6004
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: [ServerName]
The DFS Replication service detected a conflict between two or more nTDSConnection objects while polling for configuration information. The DFS Replication service resolved the conflict between CN=1a46e70a-b0f5-410f-afdd-7049b1685292,CN=NTDS Settings,CN=MyDC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=Domain,DC=Local, CN=b1f0fddb-18cc-459a-9891-15458f6c9a06,CN=NTDS Settings,CN=MyDC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=Domain,DC=Local, CN=b377e129-e214-4c52-bbe8-867686db3cb7,CN=NTDS Settings,CN=MyDC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=Domain,DC=Local, CN=c037d3d8-16cb-4ede-bf82-c2c72c025ea5,CN=NTDS Settings,CN=MyDC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=Domain,DC=Local, CN=82dff205-bc51-4f00-bf18-c47e96215608,CN=NTDS Settings,CN=MyDC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=Domain,DC=Local by using CN=ee5b0d6a-d843-48e5-8d8c-b3164dfa4b1a,CN=NTDS Settings,CN=MyDC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=Domain,DC=Local.

This error means that there are some connection objects conflicting. To solve it run ADSI Edit and connect to “Configuration” naming context


and delete the connection objects listed in the event where the conflict was detected, making sure to leave the object after “by using” in place because it’s the working connection.

Right click on connection object:

CN=1a46e70a-b0f5-410f-afdd-7049b1685292,CN=NTDS Settings,CN=MyDC,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=Domain,DC=Local

and delete it.

Repeat the process for any additional connection object on eventlog.