Find domain controller in use

Similar Messages

• Unable to find domain controller for the specified domain. Please explicitly specify the domain controller.

  Im getting error "Unable to find domain controller for the specified domain. Please explicitly specify the domain controller."   when I try to create an AD connection for my User Profile Service.  The entire sharepoint environment is installed
  on one server.  That server has everyting on it, AD, SQL, Sharepoint, and its the domain controller. I cant figure out why this will not identify?Trevor Fielder

  Hi,
  Did you get this error when clicking on the Populate Containers button?
  If yes, please make sure that you have provide the domain credentials in the account name and password
  boxes below when entering the domain information. The account must be granted the replicating directory changes permission on the domain.
  You can refer to this blog:
  http://www.harbar.net/articles/sp2010ups.aspx
  Xue-Mei Chang

• Domain controller VMs using dynamic VHDx corrupt after power failure

  Over the past couple of months I have experienced 4 dead 2008 R2 SP1 domain controllers after power failure on Hyper-V 2012 hosts. The domain controller VMs will start after power failure and have varying degrees of file system corruption. In each instance
  the corruption has rendered the domain controller unusable. The problem has not occurred with every power failure, but in testing the failure rate has been over 10%.
  The Hyper-v 2012 hosts are as follows:
  Dell PowerEdge r720 with flash backed write cache on Raid controller
  Dell PowerEdge T710 with battery backed write cache on Raid controller
  Dell PowerEdge T310 with a single SATA hard drive and write cache disabled
  Generic system with a single SATA hard drive and write cache disabled
  The VM configuration experiencing corruption is as follows:
  Each VM was created from a base 2008 R2 SP1 syspreped VHDx image template file (40 Gigs)
  The image template was originally created as a VHD and was then converted to a VHDx
  The VHDx file has 512k sectors instead of the native 512e of VHDx files (a result of VHD - VHDx conversion)
  Each VM was assigned 1024 Meg RAM and 1 virtual processor
  The domain controllers were created by promoting the base 2008 r2 install to a DC after base image deployment
  Only one corrupt VM was not running the 2012 integration components. The rest were running current 2012 integration components
  I have done extensive testing on this issue and the problem for me seems to revolve around the VHDx file format. I have managed numerous Hyper-v installations since the original 2008 server version was released and I have never seen corruption like this
  until 2012 and VHDx.
  For the past few days I have been testing fixed sized VHD VMs on a 2012 host and I have not been able to reproduce the data corruption issue. I seem to only be able to reproduce the problem when using dynamic VHDx files. I have not done any testing on 2012
  hosts with fixed size VHDx files or dynamic VHD files.
  It would be great to hear from anybody else experiencing similar issues so that we can compare notes and hopefully get to the bottom of this problem.

  To be honest I was excited to see this fix released, but there are two problems.
  1. The hotfix causes BSOD if you have VLANs with a teamed NIC configuration. I found this out the hard way on a production system. How in the world did this thing get through testing and into automatic updates?
  2. The hotfix does not seem to resolve the issue in my test environment.
  I opened up a case with support and they informed me that they would not provide support for this issue and that I had to open a case with premier support. Premier support informed me that I cannot open a case with them unless I sign a $50,000 per year service
  contract. Is there anywhere to get support on this issue?

• Certificate Authority cannot find domain controller

  I recently started working for a company that has an offline CAROOT server and an online CASUB server. Prior to my arrival, the old 2008 DCs were replaced with new 2012 DCs, in a proper upgrade. After the new DCs worked, the old ones were demoted, shut down
  and eventually deleted.
  Unfortunately, it looks like one of the things that was missed was the re-jigging of the certificate authority to the new domain controller(s), such that after a few months, the CDP Locations have expired (they point at the correct location, the CASUB server).
  When I check the Manage AD Containers entry, I can see that the RootCA is now showing as "Untrusted Root" and all the entries in the CDP Container show as Expired.
  Is there an easy way to repair this (the old DCs can not be spun up again, they are gone), or will I need to set up an all new certificate infrastructure?
  We use certificates to determine what workstations are allowed on the network infrastructure (the Cisco switch ports exa, while workstations currently have unexpired certificates, they can still access the network, but when they start to expire, we will
  have workstations unable to connect to the network.
  I am fairly new to managing certificates and authorities.

  Hi Michael,
  the CDP Locations have expired (they point at the correct location, the CASUB server).
  You can publish a new CRL by right click on Revoked Certificates container.
  More information for you:
  How to Publish New Certificate Revocation List (CRL) from Offline Root CA to Active Directory and Inetpub
  http://social.technet.microsoft.com/wiki/contents/articles/19160.how-to-publish-new-certificate-revocation-list-crl-from-offline-root-ca-to-active-directory-and-inetpub.aspx
  Specify CRL Distribution Points
  https://technet.microsoft.com/en-us/library/cc753296.aspx
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• What is the most appropriate way to generate a static IPv6 for a domain controller?

  DNS Role Best practives is giving errors. Looks like I need to assign ONE static IPv6 to each domain controller and use IT in DNS and DHCP. There are two routers on the network, each assigning a 2002: IP, plus a link local FE80: IP is also assigned.
  Is there a way to generate a static IPv6 for domain controllers that will not change even if the network cards or routers are changed?
  What is the best practice so that domain integrated DNS and DHCP with Exchange 2010 in the domain, will continue to function?
  There is ambiguous information as to whether DC's should have static or dynamic IPv6 IPs. I have tried variations such as IPv4 compatible. IPv4 mapped, ISATAP, etc. but over time have gotten different errors from different sources.
  It is one thing for Microsoft to give error messages about IPv6 but I cannot find any definitive recommednations on this.
  Thanks if anyone finds a universal answer.
  Bob.

  Excellent and valid points, Bob. Your outlook explains in an easy way how the challenges setting up Windows Server are in a sense, self-generated, and in every sense fully avoidable.
  No changes have been made to the warnings or errors in 2013 R2 despite improvements in other areas. This release mainly brought improvements to the setup in areas that were truly broken like automatic account generation for ADFS. Since that's a decade old
  feature it's probably best not to wait for Microsoft to clarify, and I appreciate your recommendations.
  I'm bumping this thread since it's the first result for 192.168.1.1 on ipv6 on Google right now, and since there's no way to see how often it's being referenced I wanted to add some additional information.
  Multiple NIC's can be specified by using the scope ID parameter supported since Vista, that appears as a percent-sign at the end of IPv6 addresses. It uniquely identifies the network adapter even when that adapter shares the same host portion of the IPv6
  address space (i.e. essentially, has the same IP, which in IPv4 is invalid.) I'll give some examples at the end of the post.
  Following the recommendation to deprecate the fec0 prefix while maintaining a link-local addressing scheme is possible through the prefix length at the beginning of the IPv6 address. As
  this reference at IBM explains, fe80:: maps to a link-local prefix length of 64 equivalent to the IPv4 version of 24, and anything else before the double-colon refers to the network portion of the IPv6 address.
  The host portion of the IP address then _could_ be ::20, ::21, etc., as you said, but to follow
  this MSDN recommendation, it would be more appropriate to use the same host portion and add a suffix for the scope ID documented on that page. The suffix may be specific to Windows
  and may not work in an equivalent way in heterogeneous platform deployments. But since the effect is limited to the local machine it should help anything past XP differentiate NICs when assigned the same host portion.
  The approach taken in the random IPv6 generator linked elsewhere on this page leaves open the possibility, however unlikely, that the generated IP can route to some other host on an open network that happens to have generated the same network portion of
  the address (the other host would be sharing the same network.) If any part should be random, it's the host portion after the double-colon, not the network portion at the beginning, so that the possibility does not exist.
  Additionally, the host portion doesn't have to be random, it's just done that way because it's usually automatically generated; a random number is safer for a computer than relying on a sequence that may not fully cover all the numbers used so far. If you're
  doing a manual deployment you can combine the above information with the inline 0-supression in IPv6 to assign numbers in the following way:
  fe80::1:1%1 (first computer is 1:1, first interface is %1)
  fe80::1:1%2 (second interface)
  fe80::1:2%1 (second computer, first interface)
  Effectively here we're swapping "192.168.1" for "fe80::1" which is roughly the same length (taking into account variations like 10.0.0). The only gotcha is that _either_ the string after the double-colon can't be 1 by itself since that's
  reserved for local machine loopback, _or_ that the second-to-last number after the double-colons can't be 0, since that's equivalent due to inline supression.
  Other combinations are fine, like fe80::2%1 and fe80::2%2 for the first computer, then ::3 for the second, etc. I thought having a 2-index for the first machine is too uncommon to look familiar so I chose the alternative, but even something like fe80::fe%80
  is perfectly fine.
  If you don't need to identify individual NICs then omitting the part after the percent sign makes fe80::10, fe80::11 a valid sequence for 2 computers. For over 255 computers just add another number before the last, so that it looks like fe80::1:10, fe80::1:11,
  etc. That should be easier to remember than the randomly generated numbers.
  There is also another way if the preference is to use IPv4-lookalike addresses. The mapped address spec is defined in RFC 4291 and it goes along the lines of "::ffff:192.168.1.1" for a valid IPv6 address to the gateway, for example. That is a newer
  recommendation than the RFC which the random-number generated linked elsewhere on this page relies on.

• Local user account is trying to autenticating against domain controller

  Hi all.  I am seeing a weird user logon issue on one of my laptop and on another user's PC.  Both of the laptop and the PC is a member of our domain.  However, on this particular laptop and PC, we are not login with a domain user account,
  rather we've created a local user account, grant it the local admin access, and login with this local user account.  Now, on my domain controller, I am seeing a bunch of account login failure message, which happens few times per minute and filling up
  the domain controller security log.  For the laptop, this is a clean build, with fresh Windows 7 installation, alone with MS Office 2010 and few third party application (eg: Adobe Reader, 7-ZIP, etc).  I've checked all group policy to ensure there
  are no service or connection that requires domain credential access that have applied to this laptop (or the PC).  I am not sure why this local user is trying to authenticating to our domain controller.  This user account doesn't exist in our domain. 
  The only thing I can think of is Microsoft Outlook 2010 might doing back ground authentication against the domain controller by using the current login user account, I just can't confirm this.  Did anyone encountered this issue in their environment? 
  Thank you.
  Below is a copy of the event.
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          13/06/2014 8:56:27 AM
  Event ID:      4625
  Task Category: Logon
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:      domaincontroller.mydomain.local
  Description:
  An account failed to log on.
  Subject:
      Security ID:        NULL SID
      Account Name:        -
      Account Domain:        -
      Logon ID:        0x0
  Logon Type:            3
  Account For Which Logon Failed:
      Security ID:        NULL SID
      Account Name:        dummy
      Account Domain:        l-sparet400sc
  Failure Information:
      Failure Reason:        Unknown user name or bad password.
      Status:            0xc000006d
      Sub Status:        0xc0000064
  Process Information:
      Caller Process ID:    0x0
      Caller Process Name:    -
  Network Information:
      Workstation Name:    L-SPARET400SC
      Source Network Address:    192.168.2.181
      Source Port:        60720
  Detailed Authentication Information:
      Logon Process:        NtLmSsp
      Authentication Package:    NTLM
      Transited Services:    -
      Package Name (NTLM only):    -
      Key Length:        0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
      - Transited services indicate which intermediate services have participated in this logon request.
      - Package name indicates which sub-protocol was used among the NTLM protocols.
      - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>4625</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>12544</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8010000000000000</Keywords>
      <TimeCreated SystemTime="2014-06-13T12:56:27.263546000Z" />
      <EventRecordID>299829083</EventRecordID>
      <Correlation />
      <Execution ProcessID="488" ThreadID="640" />
      <Channel>Security</Channel>
      <Computer>domaincontroller.mydomain.local</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="SubjectUserSid">S-1-0-0</Data>
      <Data Name="SubjectUserName">-</Data>
      <Data Name="SubjectDomainName">-</Data>
      <Data Name="SubjectLogonId">0x0</Data>
      <Data Name="TargetUserSid">S-1-0-0</Data>
      <Data Name="TargetUserName">dummy</Data>
      <Data Name="TargetDomainName">l-sparet400sc</Data>
      <Data Name="Status">0xc000006d</Data>
      <Data Name="FailureReason">%%2313</Data>
      <Data Name="SubStatus">0xc0000064</Data>
      <Data Name="LogonType">3</Data>
      <Data Name="LogonProcessName">NtLmSsp </Data>
      <Data Name="AuthenticationPackageName">NTLM</Data>
      <Data Name="WorkstationName">L-SPARET400SC</Data>
      <Data Name="TransmittedServices">-</Data>
      <Data Name="LmPackageName">-</Data>
      <Data Name="KeyLength">0</Data>
      <Data Name="ProcessId">0x0</Data>
      <Data Name="ProcessName">-</Data>
      <Data Name="IpAddress">192.168.2.181</Data>
      <Data Name="IpPort">60720</Data>
    </EventData>
  </Event>

  its the service which is using the account info and authenticating against the DC to obtain service ticket and fails
  Interesting log section is NULL SID which doesn't corresponds to any account name.
  Security ID:        NULL SID
      Account Name:        -
      Account Domain:        -
      Logon ID:        0x0
  and the below section explains , the request is made over network, which is most of the times by the service
  Detailed Authentication Information:
      Logon Process:        NtLmSsp
      Authentication Package:    NTLM
      Transited Services:    -
      Package Name (NTLM only):    -
      Key Length:        0
  The below is assumed to be performed on a client which does not run mission critical production applications which has zero impact when you perform the below actions,
  can you disable
  a) Server service
  b) Workstation service
  c) Disable RPC dependent service and services which depend on RPC and test
  Question:
  What is the level of DC hardening you have in your environment ?

• How to find which devices are still using affected domain controller

  Hi Everyone,
  We have a 5 Domain controller's in a Site. And we are going to decommisson one of our affected DC in a site.
  Can you please let me know how to find  the log files to see which devices are still using this domain controller.
  Regards,
  Neel kamal
  Neel kamal

  Neel,
  From strictly an Active Directory perspective, there is nothing special you need to do to decommission a domain controller in a site.  There are many processes that automatically balance out and recreate connections as needed without any user intervention. 
  The DC Locator process will automatically direct clients to active domain controllers, there is nothing you need to do here. 
  What you need to be concerned with are things like the following:
  DNS - Are you running AD integrated DNS and is the DC you are decommissioning hosting that roll - if so, is it the ONLY DC in the
  site that is running DNS?  You'll need at least one in the site.
  DHCP server - Is the DC you are demoting a DHCP server?  You'll need to account for that.
  Global Catalog - Is the DC you are demoting a Global Catalog server?  You'll need at least one in the site.
  File Shares - Is the DC hosting any files shares?  You'll need to move those and make sure you redirect your clients.
  Was this DC a set as a Preferred Bridgehead Server?  You'll need to undo that first.
  Those are the big ones that come to mind.  Decommissioning a DC is easy if you have prepared properly.  The others that have replied have offered some great advice which you should follow.  Do your homework and you should be fine.
  Hope that helps
  Gary
  Gary G. Gray
   MCP, MCTS, MCITP, MCT Alumni
  Please remember to mark the replies as answers if they are helpful.
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• ACL migration Error : 1210 could not find a domain controller for domain "Test Domain" (Old Domain)

  Hi
  We are migrating from old domain to new domain. Before live migration, we are trying to check the ACE/ACL migration through SubInACL. We are running the SubInACL on a cluster, which is a member of the Old Domain (Test Domain). We are able to resolve and
  ping both Old Domain and the New domain from this cluster machine. We have created a network share on this cluster, which is accessible to all Domain Users of the Old Domain. Both Domains have two way forest level trust. we are trying to migrate
  the ACL of this share (\\ClusterMachine\testshare$) to the new domain using SubInACL. We are trying to run the below command to get it done.  
  subinacl /outputlog=C:\Users\Administrator\Desktop\Migrationlog.txt /subdirectories
  \\ClusterMachine\testshare$\*.* /migratetodomain=OldDomain=NewDomain=mappingfile.txt
  Mapping file contains : Domain Users=NewDomain_Users
  But we are geeting the Error that "1210 could not find a domain controller for domain "Test Domain". Error finding domain name : 1210 the format of the specified computer name is invalid. Current Object "\\ClusterMachine\testshare$"
  will not be processed."

  Hello,
  how in detail is DNS set up in each domain?
  Any problems when using nslookup to verify?
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• Error finding a domain controller

  Hi,
  I have an error in finding a windows domain controller when a PC bootup and does a network access via a Cisco wireless PCMCIA card (AIR PCM-352) managed by Cisco ACU.
  This is the situation:
  - the operating system of the PC is Windows XP sp2
  - the wireless card is an AIR PCM352 with firmware V.5.60.21
  - the version of ACU is 6.6.00
  - the Access point is a Cisco 1120 (802.11b) with IOS version 12.3(8)JA
  - wireless communication is completely open (ssid in guest mode, authentication open ,no wep)
  - the ip address of the PC is obtained via DHCP (DHCP server is a Microsoft Server)
  I notice a difference between a Cisco PCMCIA card 352 managed by Cisco ACU and by Windows XP.
  In fact this error doesn't happen when the WLAN card is controlled by Windows wireless utility.
  Is it possible that the startup timing of the Cisco ACU is later than the Window's one?
  Does anyone resolved this error?
  Thanks in advance
  Antonio

  Hi Antonio,
  Obviously you get the error of the domain not found because your wireless card is not even associated (the wireless card utility hasn’t started)
  Can you clarify the line "Is it possible that the startup timing of the Cisco ACU is later than the Window's one? " . You mean start the Cisco ACU before the windows one right?
  The best way to get around issues like that is to use for example the Odyssey client from Funk and turn on GINA and it should work fine.
  Rgds,
  Pablo

• Forest trust unable to find Active Directory Domain Controller

  I have two domains with a two-way forest trust. We'll call them ForestA and ForestB. They're on seperate subnets. ForestA's DCs are in one physical location. ForestB's DCs are in two locations, one of which is shared with A.
  I'm unable to route traffic directly from the remote DC in ForestB to the subnet ForestA is on, so I created a new DC in ForestA that sits on the subnet ForestB uses (basically, I can't route between subnets via the wireless bridge between locations, but
  can within the same location).
  I found this: http://www.neomagick.net/zen/2008/11/30/using-dns-to-force-a-domain-trust-through-a-specific-domain-controller-dc/
  I followed the instructions to set the new DC in forest A to be the only one the remote DC in forest B was aware of.
  Nslookup ForestA.com resolves correctly to this DC, but I'm unable to validate the trust relationship, getting the error:
  "Windows cannot find an Active Directory Domain Controller for the ForestA.com domain. Verify that an AD DC is available and then try again."
  I'd appreciate any help.

  In the event viewer, have you found any event id's that corrospond with this error? Have you ensured all ports required are open? Windows firewall is correctly setup? NIC is properly configured?
  Statement below taken from: http://technet.microsoft.com/en-us/library/cc961803.aspx
  If you receive the following error, ERROR_NO_LOGON_SERVERS while using the Nltest tool to query the secure channel, this is usually indicative of the inability to find a domain controller for that domain. Run nltest /dsgetdc: < DomainName > : to verify
  whether you can locate a domain controller. If you are unable to find a domain controller examine DNS registrations and network connectivity.
  ADDS Ports:
  http://msdn.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

• Shutdown 2003 domain controller, Used new different name; same IP address on new 2012 DC - can I delete the old name object?

  Greetings,
  I promoted a 2012 domain controller, with new name and IP,   shutdown the old DC and re-ip'ed new DC with old IP address.
  after reboot everything is working fine.  I would like to deleted the old DC object name from the AD.  can I do so without interruption?
  Thank you

  Demotion using DCPROMO would have been the preferred way to go. 
  You should however be able to get away with deleting the computer object for the old DC using AD Users and Computers.  The metadata cleanup is now included in the modern UI, so you shouldn't need to use NTDSUtil to do the cleanup of references to the
  old DC.
  I would also manually remove the NS record for the old DC from your DNS zone(s) as this is not handled by the object deletion. 
  Also, have a good look through the DNS records anyway and see if there are any references to the old name (A, SRV records) and delete them manually if you find some.
  Alexei

• How to use DNS server for name resolution for items which don't exist in active directory domain controller DNS

  Dear Experts,
  In our office we have a domain controller call it 'Office.com', all computers and corporate servers e.g. exchange, antivirus etc. are member of this 'office.com', it is also having a DNS. All users in office have there preferred DNS set to the corporate
  DNS
  We are working for ministry and offering services to them from our data center so have many servers which are for ministry but they are in our data center. For all these servers we created another DNS server which contains all entries for these servers in
  forward and reverse lookup zones. In this DNS we also created a forward lookup zone for our corporate servers and zone name is 'office.com'
  What we are trying to have is name resolution of all servers which are listed in other DNS build in our office on Win 2008 R2 for ministry servers
  If the user change his preferred DNS to ministry DNS he can resolve the ministry server but then we can not control any thing through group policy since they are using other DNS and not the corporate DNS. 
  How this can be done ? like any group policy applied to corporate domain controller must take effect on users and in addition to this user must also be able to resolve server names in ministry project DNS
  Please assist ASAP.
  regards,

  Hello,
  ok so the GPO setting doesn't apply in any case.
  Clients machines use the first DNS server in the list of configured ones on the NIC. If that one is available search for additional DNS servers will stop.
  What i can not really understand is your description about the second DNS server. This should normally either another DC with AD integrated DNS, so everything is replicatedwithin AD replication or you use a secondary DNS on domain member server that pulls
  the informations from the Master.
  It sounds for me that you have configured a machine with DNS server role and created manually the zone with the same name as the domainand manually create there the required A records?
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

• Use old domain controller AD user profile with new domain (profile changed)

  Dear All,
  I have built Win Server 2012 for Domain migration from Windows Server 2003 to Windows Server 2012. I have tested all thing on VMware including user creation and tested Domain join using power shell for Win 7 and .VBs batch file for Win XP computers all thing
  are working fine.
  Let 1st I introduce my current environment. I have existing Win Server 2003 domain controller (abc.com) with 130 client computers and 200 users I am going to plan migrate my current environment to Win server 2012 Domain (xyz.com) Keep in mind that Domain
  name is changed but Domain Controller (Server) names are same i.e MY-PDC . I have tested domain join on multiple computers using existing clone of client computers and create all existing users using .csv file and power shell with required
  credentials and OU.I am facing the user profile issue when I join domain and login with existing user which was previously the user of same computer the required profile does not login and computer creates new user profile in Document and Settings section
  of Win XP.
  I need your expert opinions because copy old profile data and create new outlook profile for each user is a big headache for any one. Hope you people can understand and help me in this issue.
  Please provide best answer and result on priority I will be thankful to all of you.
  Regards,
  Arsalan

  Hi Arsalan,
  Please check if USMT can help you to achieve this target.
  User State Migration Tool 4.0 User's
  Guide
  Meanwhile, please also refer to following articles and check if can help you.
  How
  to Migrate Windows User Profile to New Account
  Keeping user old domain profile
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft
  does not guarantee the accuracy of this information.
  If anything I misunderstand or any update, please don’t hesitate to let us know.
  Hope this helps.
  Best regards,
  Justin Gu

• 802.1x using authentication from NT Domain Controller instead of Radius

  I would like to know if it's possible to configure 802.1x using authentication from NT Domain Controller, instead of using Radius or Tacacs.

  It is possible to use MS AD, generic LDAP, Novell NDS for authentication, it's fairly common.
  The issue is "How do get the device to talk to the authentication source ... (AD, DC, NDS, LDAP)?"
  The answer is RADIUS.
  You can configure RADIUS to pull authentication from a variety of source (depending on the RADIUS - many/most can use any of the LDAP-based systems).
  So, yes, certainly you can use the Microsoft AD, but you need RADIUS to connect the two systems (the 802.1x device and the AD server).
  If cost is the issue, try freeRADIUS (www.freeradius.org) - it's fully featured (can use LDAP, AD, NDS, Certificates, etc), it's free, and configuration is much easier than it looks ....
  Good Luck
  Scott

• Setting up FTP on Domain Controller using User Isolation

  Hi all,
  Our FTP site is set on a domain controller (not best practice i know, but i wasn't involved in the implementation of it) However, it currently works with the "FTP Root Directory" option selected, however this is not very secure as everyone has access
  to everything. I need to set it up so it uses "Username Directory" as this is a domain controller, and i want them to authenticate via AD User/Group. However when i select that option, i can't connect to the FTP site - Connection attempt failed with
  "EAI_NONAME - Neither nodename nor servname provided, or not known". When i change it back to "FTP Root Directory" it connects fine.
  Basic Authentication is Enabled and Anonymous Authentication is disabled.
  Virtual Directory option is selected under directory listing options.
  Our FTP folder structure is E:\FTPRoot it got moved to this drive as it's a bigger drive.
  I've set up a Virtual Directory for the FTP site and for the individual folders. 
  I'm stuck on what else to try, any advice and guidance would be appreciated.

  Hi,
  FTP setup is related to IIS so you could post the question to IIS forum instead.
  http://forums.iis.net/
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]