DCDIAG Question

[dave Admin]

All three domain controllers are Server2003, SP1. DNS works fine, no
replication errors. Each is located in a different physical site. When I
run dcdiag I get only one response that implies an issue.

The warning is that Attribute userAccountControl for one of the servers is
0x82020 instead of 0x82000. UF_PASSWD_NOTREQD appears to be the culprit. I
cannot find anything on the 'net or MS to understand this. I did run
adsiedit and there is a difference in the properties for the server with
this warning. It has a userAccountControl at 532512 whereas the other two
servers without the warning indicate 532480.

I don't know where this got set or how it got set. Should I modify the
setting for the server with the warning using adsiedit??

Do I even have a problem or is this cosmetic?

dave Admin

 

[Jorge de Almeida Pinto [MVP]]

I read somewhere it is a bug in ADUC when pre creating computer accounts.
Did you pre-create the account of that DC?

These are the default UserAccountControl values for the certain objects:
Typical user : 0x200 (512)
Domain controller : 0x82000 (532480)
Workstation/server: 0x1000 (4096)

If you want to restore the default DC value You can use either LDP or
ADSIEDIT.MSC

When using adsiedit:
* Connect to the domain NC
* Navigate to the Domain Controllers OU
* Right click on the properties of the DC for which you want to change the
UserAccountControl value.
* Goto the UserAccountControl attribute
* You should see a value (from what you have described): 532512
* Change that value to: 532480

After this is you go to LDP to the same location you see:
userAccountControl: 0x82000 = ( UF_SERVER_TRUST_ACCOUNT |
UF_TRUSTED_FOR_DELEGATION )


--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx

 

[Tomasz Onyszko]

I read somewhere it is a bug in ADUC when pre creating computer accounts.
Did you pre-create the account of that DC?

A little OT - I just want to search a little to find some sources before
posting a reply and what I found - Jorge's answer indexed by the google
before it came to my news reader - maybe it is time to switch to on-line
reader

 

[dave Admin]

Thanks Jorge,
Sounds like a plan

dave

"Jorge de Almeida Pinto [MVP]"

 

[Jorge de Almeida Pinto [MVP]]

;-)

just tried it myself...

pre-create a computer account in the computers container
promote a server to a DC using the name of the pre-created account...

yep, the password not required flag remains

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx

 

[Tomasz Onyszko]

;-)

just tried it myself...

pre-create a computer account in the computers container
promote a server to a DC using the name of the pre-created account...

yep, the password not required flag remains

Yup, that what I want to be my answer - I came across it some time ago
when we deployed a lot of accounts.