Starting test: MachineAccount
Warning: Attribute userAccountControl of SL1CDC4 is:
0x82020 = ( PASSWD_NOTREQD | SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION )
Typical setting for a DC is
0x82000 = ( SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION )
This maybe affecting replication
It is a bug when we pre-create a computer account in ADUC and then promote it as DC, the UserAccountControl is set to 532512 instead of the default 532480. You need to manually set the vaulue to 532480 in ADSIEDIT.MSC or with the following PowerShell
get-adobject -filter "objectcategory -eq 'computer'" -searchbase "ou=domain controllers,dc=contoso,dc=loc" -searchscope subtree -properties distinguishedname,useraccountcontrol|select distinguishedname,name,useraccountcontrol|where {$_.useraccountcontrol -ne 532480}|%{set-adobject -identity $_.distinguishedname -replace @{useraccountcontrol=532480} -whatif}
Also, this can also involve the Primary Group IDs. Here is the full summary:
RW DC
if you have RODCs then the values should be:
Useraccountcontrol = 0x82000
PrimaryGroupID = 516
RO DC
Useraccountcontrol = 0x5001000
PrimaryGroupID = 521
No comments:
Post a Comment