DCDIAG Question

All three domain controllers are Server2003, SP1. DNS works fine, no
replication errors. Each is located in a different physical site. When I
run dcdiag I get only one response that implies an issue.

The warning is that Attribute userAccountControl for one of the servers is
0x82020 instead of 0x82000. UF_PASSWD_NOTREQD appears to be the culprit. I
cannot find anything on the 'net or MS to understand this. I did run
adsiedit and there is a difference in the properties for the server with
this warning. It has a userAccountControl at 532512 whereas the other two
servers without the warning indicate 532480.

I don't know where this got set or how it got set. Should I modify the
setting for the server with the warning using adsiedit??

Do I even have a problem or is this cosmetic?

dave Admin

I read somewhere it is a bug in ADUC when pre creating computer accounts.
Did you pre-create the account of that DC?

These are the default UserAccountControl values for the certain objects:
Typical user : 0x200 (512)
Domain controller : 0x82000 (532480)
Workstation/server: 0x1000 (4096)

If you want to restore the default DC value You can use either LDP or
ADSIEDIT.MSC

When using adsiedit:
* Connect to the domain NC
* Navigate to the Domain Controllers OU
* Right click on the properties of the DC for which you want to change the
UserAccountControl value.
* Goto the UserAccountControl attribute
* You should see a value (from what you have described): 532512
* Change that value to: 532480

After this is you go to LDP to the same location you see:
userAccountControl: 0x82000 = ( UF_SERVER_TRUST_ACCOUNT |
UF_TRUSTED_FOR_DELEGATION )


--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"dave Admin" <dmackler@mds.acsol.net> wrote in message
news:O2wMLd0KGHA.740@TK2MSFTNGP12.phx.gbl...
>
> All three domain controllers are Server2003, SP1. DNS works fine, no
> replication errors. Each is located in a different physical site. When I
> run dcdiag I get only one response that implies an issue.
>
> The warning is that Attribute userAccountControl for one of the servers is
> 0x82020 instead of 0x82000. UF_PASSWD_NOTREQD appears to be the culprit.
> I cannot find anything on the 'net or MS to understand this. I did run
> adsiedit and there is a difference in the properties for the server with
> this warning. It has a userAccountControl at 532512 whereas the other two
> servers without the warning indicate 532480.
>
> I don't know where this got set or how it got set. Should I modify the
> setting for the server with the warning using adsiedit??
>
> Do I even have a problem or is this cosmetic?
>
> dave Admin
>
>

Jorge de Almeida Pinto [MVP] wrote:
> I read somewhere it is a bug in ADUC when pre creating computer accounts.
> Did you pre-create the account of that DC?


A little OT - I just want to search a little to find some sources before
posting a reply and what I found - Jorge's answer indexed by the google
before it came to my news reader - maybe it is time to switch to on-line
reader


--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)

Thanks Jorge,
Sounds like a plan

dave

"Jorge de Almeida Pinto [MVP]"
<SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> wrote in message
news:eHXmZp1KGHA.216@TK2MSFTNGP15.phx.gbl...
>
> I read somewhere it is a bug in ADUC when pre creating computer accounts.
> Did you pre-create the account of that DC?
>
> These are the default UserAccountControl values for the certain objects:
> Typical user : 0x200 (512)
> Domain controller : 0x82000 (532480)
> Workstation/server: 0x1000 (4096)
>
> If you want to restore the default DC value You can use either LDP or
> ADSIEDIT.MSC
>
> When using adsiedit:
> * Connect to the domain NC
> * Navigate to the Domain Controllers OU
> * Right click on the properties of the DC for which you want to change the
> UserAccountControl value.
> * Goto the UserAccountControl attribute
> * You should see a value (from what you have described): 532512
> * Change that value to: 532480
>
> After this is you go to LDP to the same location you see:
> userAccountControl: 0x82000 = ( UF_SERVER_TRUST_ACCOUNT |
> UF_TRUSTED_FOR_DELEGATION )
>
>
> --
>
> Cheers,
> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>
> # Jorge de Almeida Pinto # MVP Windows Server - Directory Services
>
> BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
> -----------------------------------------------------------------------------
> * This posting is provided "AS IS" with no warranties and confers no
> rights!
> * Always test before implementing!
> -----------------------------------------------------------------------------
>
>
> -----------------------------------------------------------------------------
> "dave Admin" <dmackler@mds.acsol.net> wrote in message
> news:O2wMLd0KGHA.740@TK2MSFTNGP12.phx.gbl...
>>
>> All three domain controllers are Server2003, SP1. DNS works fine, no
>> replication errors. Each is located in a different physical site. When
>> I run dcdiag I get only one response that implies an issue.
>>
>> The warning is that Attribute userAccountControl for one of the servers
>> is 0x82020 instead of 0x82000. UF_PASSWD_NOTREQD appears to be the
>> culprit. I cannot find anything on the 'net or MS to understand this. I
>> did run adsiedit and there is a difference in the properties for the
>> server with this warning. It has a userAccountControl at 532512 whereas
>> the other two servers without the warning indicate 532480.
>>
>> I don't know where this got set or how it got set. Should I modify the
>> setting for the server with the warning using adsiedit??
>>
>> Do I even have a problem or is this cosmetic?
>>
>> dave Admin
>>
>>
>
>
>

;-)

just tried it myself...

pre-create a computer account in the computers container
promote a server to a DC using the name of the pre-created account...

yep, the password not required flag remains

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"Tomasz Onyszko" <T.Onyszko_nospam_@w2k.pl> wrote in message
news:OezV0s1KGHA.3728@tk2msftngp13.phx.gbl...
> Jorge de Almeida Pinto [MVP] wrote:
>> I read somewhere it is a bug in ADUC when pre creating computer accounts.
>> Did you pre-create the account of that DC?
>
>
> A little OT - I just want to search a little to find some sources before
> posting a reply and what I found - Jorge's answer indexed by the google
> before it came to my news reader - maybe it is time to switch to on-line
> reader
>
>
> --
> Tomasz Onyszko
> http://www.w2k.pl/blog/ - (PL)
> http://blogs.dirteam.com/blogs/tomek/ - (EN)

Jorge de Almeida Pinto [MVP] wrote:
> ;-)
>
> just tried it myself...
>
> pre-create a computer account in the computers container
> promote a server to a DC using the name of the pre-created account...
>
> yep, the password not required flag remains
>
Yup, that what I want to be my answer - I came across it some time ago
when we deployed a lot of accounts.


--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)