Active Directory Naming information for domain couldn’t be found


Sometimes when you open one of the Active Directory tools you get error message “Naming information couldn’t be contacted“:

Active Directory Users and Computers

Active Directory Trusts and Domains

Active Directory Sites and Services

Domain Security Policy

Domain Controller Security Policy

Schema Admin

This happens because of the following reasons:

1. SRV records for Active directory domains are not registered in DNS Domain Zone.

2. DNS Server couldn’t be contacted for some reason.

3. AA Host records for Domain Controller is missing in DNS Zone.

4. Netlogon service on Domain Controller has been stopped.

5. Domain Controller is pointing to a wrong DNS Server.

6. Domain Controller is pointing to a DNS Server which is far away from DC.

7. DNS Server can’t be contacted because of network congessions.

8. Heavy use of Domain Controller when DNS Client sends a request to DNS Server to find out domain information.  For example: If an application is running which is using a service account that is sending DNS Query to DNS Server frequently.

Your DNS zone should look like below for SRV Records:

   |—–Forward Lookup Zones
   |             |   _sites
   |             |     |    |
   |             |     |   Default-First-Site-Name
   |             |     |         |
   |             |     |       _tcp————— _ldap [SRV]: 0:100:389:
   |             |     |                                  _gc [SRV]: 0:100:3268:
   |             |     |                                  _kerberos [SRV]: 0:100:88:
   |             |     |      
   |             |    _tcp———————- _ldap [SRV]: 0:100:389:
   |             |     |                                 _gc [SRV]: 0:100:3268:
   |             |     |                                 _kerberos [SRV]: 0:100:88:
   |             |     |                                 _kpasswd [SRV]: 0:100:464:
   |             |     |        
   |             |    _udp——————–  _kpasswd [SRV]: 0:100:464:
   |             |     |                                _kerberos [SRV]: 0:100:88:

You must have the above SRVs registerd in DNS zone so that AD Tools can get the list of domain controllers available in domain by executing DcGetDcName API call.

These are the basic guidelines for DNS and TCP/IP Configuration on a server:

1. On DC or DNS server: Make sure DNS server is pointing to server IP address.

2. Make sure Dynamic or Secure Dynamic update is enabled on authoritative Zone.

3. Make sure SOA record in DNS zone is pointing to correct DNS server IP Address.

4. Issue Ipconfig /registerdns from command prompt to register A records of server in zone.

7. If there are two LAN cards make sure Internal NIC of the server is listed first in Binding Order.

Securing your network using Microsoft Windows DHCP


This article explains how you can secure a network running DHCP Service.

Microsoft has developed or added some security to DHCP Server by means of CLASS ID. You can use Class ID to secure a network for client who is part of the network or laptop users who recieve their IP Address from this DHCP Server on the network.

In DHCP Server you can configure the Class ID. When you configure Class ID you need to use the Same ID on all client machines so any DHCP Packet sent by the client can be understood by the DHCP server of that class. You set Class ID on client machines using *Ipconfig /setclassid* command.

Prevent computers gaining IP Address from DHCP Server if they are not authorized

A computer is authorized to obtain an IP Address on network only when it is configured with DHCP Class ID where you have implemented MS DHCP Server. This Class ID mechanism can be understood by MS DHCP Servers only.

We have secured our DHCP Network using *MS Class Options* (You can find this mechanism only in MS DHCP Implementation).

Client machines can’t get IP Address from any DHCP server available on the network  *IF* you have configured Class ID on client machines using *Ipconfig /setclassid* command. A DHCP packet will be dropped by DHCP server if *same Class ID* scope is not found on the network or MS DHCP server.

This is what happen when you implement Class ID on your network:

1. A computer plugs in your network.

2. DHCP client service starts and shouts on network to get an IP address (I assume this is a new computer and configured with Class ID).

3. DHCP Server goes throught its database or scopes check to see if it belongs to any Class ID scope, a simple scope or superscope if request is coming from different network id:

        a. If DHCP packet from client machine contains Class ID information, DHCP  
           Server goes through the Class ID Scopes. If it doesn’t find same class ID in
           its database, the DHCP packet is dropped off. Exit Loop. Next, if DHCP server
           finds the Class ID Scope, it leases out the IP address to client machine and
           Exit Loop.

        b. DHCP server goes to next condiation available that is *DHCP Scope for
           same subnet*. HERE DHCP server can lease out IP address from any scope
           if you haven’t configured client machine with Class ID. This is where DHCP
           Security is failing
. If DHCP server finds no other scope, DHCP packet is
           dropped off. Exit Loop.

        c. Next available condition is to check in *DHCP Superscope for same or other
            subnet* or if client doesn’t belong to same subnet. B condition applies  in this case.

3. After checking above conditions, DHCP Server finally decides to drop off packets therefore client obtains IP Address using APIPA (169.254.x.x). This makes client out of network or it can’t participate in network.

Restrict IPs to known MAC addresses (both static or DHCP) when the unauthorized machine has physical access to a NAM on the network.


1. Create a class on your network

2. Define a scope for these MAC systems only.

3. Create a unqiue Class ID for this scope.

4. Configure client machines using *Ipconfig /setclassid*. Set the Class ID which you have configured at DHCP Server.

Now when a DHCP server receive a packet from a client machine configuerd for the same Class ID, it will go through it’s scopes to check whether they belong to any Scope Class you have configured at DHCP server.
If DHCP Server finds Class Scope with same Class ID then this will lease IP address *ONLY* from this class regardless of the subnet clinet machines belong to. Condition No. A applies in this scenario.


1. This way you can secure your DHCP Server.

2. This only applies when client machines has configured to obtain IP address automatically from a DHCP Server. If client machine has configured with Static IP address then you can’t. You need to disable DHCP client service on client machine or unregister a DLL from their system or set permissions on registry on client machine so they can’t save informations.

3. You shouldn’t have any other Scope configured in your DHCP server without Class ID. If you do so DHCP server can lease out IP addresses from this scope if client request is coming without Class ID information or DHCP Packet from a client doesn’t contain Class ID. Either you can use scopes or Class ID but you can’t use both to implement this securtiy stuff. Check option A.B.C. described earliear in this article.

More here:  –

DHCP Security: –

The following articles only address how you secure or detect rouge DHCP servers running in a network. It’s worth reading.

Part 1
Part 2: –

If your DHCP clients are all Windows 2000 or newer, then this will work pretty well for you.  If you have non-Windows 2000 or newer clients that need to use DHCP, this won’t work.

Class ID won’t work for:

Windows 9x/NT clients
PXE boot clients/other boot clients (Altiris Bootworks)
Non-Windows clients (Linux and Mac are most common)

Driver issue – Server not booting in Normal Mode


If you face any issue with Windows driver or third party driver, you can replace Safe Mode registry with Normal Mode to get things working properly. If you can boot into Safe Mode and then there are some chances to restore your computer using the Safe Mode registry data because pre-defined drivers and services in registry key for these modes are not changed when you install any application.

This is how you do it:

  1. Go to Safe Mode.
  1. Start Registry editor > navigate to the following registry key:


  1. Save/Export this key to SafeBoot.reg file
  1. Next navigate to the following key:


  1. Save/Export this to Services.reg.
  1. Now edit SafeBoot.reg in notepad or wordpad (make sure you disable word wrapping) > next

Find all the entries with:


and replace all with the following:


  1. After replacing all entries save SafeBoot.reg file and double click on it.
  1. Now restart your computer in Normal Mode. It should boot.

Group Policy Troubleshooting

The following points should be taken into consideration while Troubleshooting Group Policy. These are the common ones:

Group Policy settings can be applied only when User account or computer account (leaf objects) are in the same container where GPO is applied.

Leaf objects or Groups must have “Read” and “Apply Group Permissions” assigned to them.

Make sure you and users have proper permissions on SYSVOL folder.

Make sure SYSVOL folder is shared properly (type net share \\ip_of_dc) from a client machine or server.

Group Policy Objects may not be processed if Client-Side-Extensions (CSE) are missing in client machine or DLL used to process GPOs are corrupted. You can find the CSE at the following registry location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPTExtension.

 Make sure NetBIOS Helper service is running in server using services.msc snap-in.

 Make sure you haven’t enabled *No Override* option on parent GPOs if yo’re using one. Check this in Default Domain GPO.

 For permissions, you should have the following set for each object:

Remove *Authenticated Users* group from list of objects listed on Security Tab.

Sales Dept should have “Read” and “Apply Group Policy” permissions.

Administrators, Enterprise Administrators and Domain Administrators should be set to “Deny Apply Group Policy”.

Finally you can troubleshoot Group Policy either using GPMC (RSOP) or enabling User Environment Debugging on one of your client machine and then finding the culprit.

How to enable User Profile Debugging:;EN-US;221833

DNS and Active Directory best practices.


1. DNS is pointing to itself in TCP/IP property.

2. You have configured Forwarders tab in DNS Server property to access Internet.

3. You have checked the box “Register this connection in DNS” in TCP/IP property.

4. SOA RR entry is pointing to the same DNS Server address. Expand Forward Lookup Zone > and then in Right Pane find the SOA and NS records and make sure they are configured to use this DNS Server’s IP Address.

5. If you have *two NICs* make sure DNS is only *listening* on the LAN Interface.

6. Issue Ipconfig /registerdns command in Domain controller.

7. Remove if you have configured your Internal NIC to use ISP DNS server address.

8. And also make sure DNS Dynamic update is enabled on DNS Zone.

9. Make sure clients are configured to use suffix.

This DNS server won’t forward requests to ISP DNS server until it is configured to do so. You need to configure this server using Forwarders tab in DNS Server property.


For Internet access:

For internet access, delete the root zone on your DNS in your forward lookup zones. Then open the properties page of your DNS server and configure forwarders to point to your ISP’s DNS.

Using Forwarders in DNS: –


Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows 2000
HOW TO: Configure DNS for Internet Access in Windows 2000

Troubleshooting Common Active Directory Setup Issues in Windows 2000

10 DNS Errors That Will Kill Your Network
Troubleshooting Active Directory DNS Errors in Windows 2000
Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
SRV Resource Records May Not Be Created on Domain Controller
How to Verify the Creation of SRV Records for a Domain Controller
How Domain Controllers Are Located in Windows
How Domain Controllers Are Located in Windows XP
HOW TO: Configure DNS for Internet Access in Windows Server 2003
HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows Server 2003

Determining the Server GUID of a Domain Controller
GUID Records Are Not Registered If MX Record with Wildcard Character Is Present
Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
Windows 2000 DNS and Active Directory Information and Technical Resources
Setting Up the Domain Name System for Active Directory
HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows 2000
HOW TO: Configure DNS for Internet Access in Windows 2000

Windows Log on and Log off immediately.

You may face this problem when logging on to Windows. When you type user name and password you are again presented with User name and Password dialogue box. You try hard to get in but to no avail.

You may not be able to log on to system using either Normal Mode or Safe Mode. This occur only when Winlogon service tries to load the Windows default shell (explorer.exe) and user shell (userinit.exe) from registry. This service searches for Explorer.exe and Userinit.exe in the following path of registry:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Edit these values and type the correct path of shell :

            Shell = explorer.exe


NOTE: These files may also be deleted by spywares. You may need to extract them using Windows CD. 

Steps for rectifying this problem:

  • Log on to a networked computer.
  • Run Regedit.exe
  • Point your cursor to HKEY_LOCAL_MACHINE
  • Select File > Connect Remote Registry
  • Type computer name (infected computer)
  • Navigate to the following location in registry of destination or infected computer

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

  • Edit these two values in right pane:



  • Change these two values to


                  Userinit = x:\windows\system32\userinit.exe

  • Exit from Registry
  • Restart Infected computer.
  • You should be able to log on to computer.

How to manually create Default Domain GPOs

There is a way to create Default Domain GPO. There are two GPO created when you promote a member computer or a stand-alone server to domain controller.

These two GPOs are :

  • Default Domain Group Policy
  • Default Domain Controller Group Policy.

These GPO are stored in the SYSVOL folder. Netlogon service creates two permanent GUID for these two GPO under SYSVOL folder:


Domain Default GPO GUID {31B2F340-016D-11D2-945F-00C04FB984F9}

Domain Controller Default GPO GUID {31B2F210-016D-11D2-945F-00C04FB981F1}

Windows OS identifies default domain policies by its GUIDs located in SYSVOL folder. These GUIDs are unique for Default Domain Policy and Default Domain Controller Policy created by default.

You can use the following steps to create the Default GPOs manually:

1. Open ADUC

2. Right click on > Property

3. Switch to Group Policy tab

4. Create a policy named “Default Domain Policy” or you can rename it if you want. AD Tools queries default domain policies by their GUIDs located in SYSVOL folder and not by name.

5. Click this GPO > Property > note down the GUID of this GPO created.

6. Go to SYSVOL folder and change the GUID to default domain policy or default domain controller policy.

7. Next you need to use a small script using ADSI to set this unique GUID into GPC of this policy in AD database. You can also edit Schema manually to do so.
Here are some articles that you can use to troubleshoot Group Policy:

You can also use ADSI Edit to create the GUID in GPC:

GPC container.


Troubleshooting Group Policy issues in Windows
How to reset security settings in GPO
Scripting GPO

Using Dcgpofix.exe:

You can also use Dcgpofix.exe to restore Default GPO.

Have a look here for Dcgpofix.exe:

The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state

LDIFDE – Export / Import data from Active Directory

LDIFDE is a robust utility. This utility enables you to import/export information from/to Active Directory. LDIFDE queries any available domain controller to retrieve/update AD information.


1. You can use LDIFDE to find any object. It may be a printer, a server, a computer, a user, a person. All these objects are identified with *ObjectClass=object_class_name (either printer or user or OU).

2. By default account is disabled when imported and also password is set to NULL.

3. To modify AD attribute you must put “-“ on a single line followed by a completely blank line on the next line. Please see the format below.

4. When a user is exported to LDF file, by default “changetype” is Add.

5. LDIFDE doesn’t support changing Group Membership. You can use CSVDE or ADDUSERS.exe or DStools for Windows 2003 Editions.

6. LDIFDE doesn’t support exporting Passwords.

7. By default “User must change password at next logon” attribute is selected.

8. LDIFDE doesn’t support importing Passwords. To change user’s password you need to convert from Plain Text to Base64 character. We can use a utility to convert from Plain Text to Base64.

9. Note that if no credentials are specified LDIFDE will use the currently logged on user’s credentials.

10. If you do an LDIFDE or CSVDE export, many of the attributes for user and group objects are owned by the system and cannot be re imported. Here’s a trick. Run the export with the –m switch. This enables SAM Logic, which is another way of saying that the export skips the attributes that are owned by the system. This gives you a template to use when building your import files or spreadsheets.

11. You can also export all user accounts from a forest (including data from all domains). This requires that you run the LDIFDE command against a Global Catalog Server with –t switch to specify the port No.

12. You must place a “-“ and then a blank line very next followed by the “-“ for modify and change operation to work properly. Otherwise LDIFDE will fail!

13. Using the setting “userAccountControl: 66048” enables the newly created account. By default, an account is created disabled. Note that user account can’t be enabled with blank password if you have a complex password policy defined on the domain. So you’re first step is to change the password and then enable the account.

                        userAccountControl: 514 for disable account

14. There are more export-specific options but not Import. Note that while exporting user accounts/OU/person you can use –o with –I but you can’t use both the switches while importing the file to AD. This is because both the switches are export-specific.

15. The default mode is Export Mode. You need to specify –I to turn Import Mode on.

16. If you want to carry the line to next line then the first must be a space and then start new line.

17. If you do not specify a server when you use LDIFDE to export objects that are in the domain-naming context, LDIFDE searches for a global catalog server. When LDIFDE searches for a global catalog server, it may not use the domain of the object name or the user account that you specify to determine what global catalog server to connect to. LDIFDE may connect to a global catalog server that is in the same site as the client, but that is a member of a different domain in the forest. This global catalog server may not have all the required Active Directory attributes for the objects that you want to export.  To work around this issue, use the -s server_name command-line option to specify a server when you use LDIFDE.

18. Ldifde sets password to blank unless you don’t have a complex password policy defined in your domain. Hence you can’t enable accounts with Blank Password.

19. Note that –o switch overrides –I switch if you plan to use both. Suppose you want to omit badPwdCount attribute from export and in the same command you specify –I switch to export this field. In this case attribute won’t be exported.

20. The contents of an object are on consecutive lines, starting with DN property. There must be an Empty Line if you want to perform an operation on another object.

21. Each property and its value must be on a separate line such as: givenname: dinesh. There should be a colon and a space.

22. DN property and its value must be placed at first line and any other property/value can be at any line.

23. Multiple values of a property should be on a separate line such as:

            Otherhomephoneno: 512 513

            Otherhomephoneno: 514 859

24. An empty value can be written by including only the property name with colon such as:    sn:

25. A line that starts with pound (#) sign is a comment line.

26. Base64 Encoding works as follow:

a. The value to be encoded is divided into three-byte sections

b. Each 24-bit Section is divided into four 6-bit value

               c. Each 6-bit value is mapped to one of the following 64 characters: uppercase alphabets A through Z, lowercase alphabets a through z, numbers 0 through 9, plus

               sign (+), or slash (/).This results in a string of basic alphabets, numbers, and possibly some plus signs and slashes. If the number of bytes in the original value is not a 

               multiple of three, the encoded value will have one or two equals signs (=) at the end, so the number of characters is always a multiple of four.

27. LDIFDE exports only attributes those have their values in AD. It doesn’t export attributes those don’t have values. For example: if description is not defined for a user then it won’t export description attribute.

28. When exporting ONLY ONE USER, make sure you don’t have dash (-) after the end of file.

29. When a new user account is created, it is made member of Domain Users group by default.

30. LDIFDE doesn’t accept blank values. Do not include blank values in LDF files. You will see errors.

31. LDIFDE doesn’t accept space in value while exporting. For example if samaccountname is Jacson Sam then you should enclose it within the quotas.


1. Command to export the user with a given name of SAM Account

ldifde -f exportuser.ldf -s computer_name -r (samaccountname=SAMLNAME)

2. Command to export Organizational Units:

Running this command exports all OUs except domain controllers into a file named ExportOU.ldf. 

ldifde -f exportOu.ldf -s Server1 -d “dc=Export,dc=com” -p subtree -r “(objectClass=organizationalUnit)” -l “cn,objectclass,ou”

3. Export the User Accounts from the Source Domain

ldifde -f Exportuser.ldf -s Server1 -d “dc=Export,dc=com” -p subtree -r “(&(objectCategory=person)(objectClass=User)(givenname=*))” -l “cn,givenName,objectclass,samAccountName”

Running this command exports all users in the Export domain into a file named Exportuser.ldf. If you do not have all the required attributes, the import operation does not work. The attributes objectclass and samAccountName are required, but more can be added as needed.

4. Command to Import users from a LDF file:

ldifde -i -f Exportuser.ldf -s Server2

5. Exporting User Account attributes except attributes those can’t be imported: (Using –o switch)

This is another example filter that will export all User Account data except for the attributes that cannot be imported:

ldifde -f Exportuser.ldf -s <Server1> -d “dc=Export,dc=com” -p subtree -r “(&(objectCategory=person)(objectClass=User)(givenname=*))” -o “badPasswordTime,badPwdCount,lastLogoff,lastLogon,logonCount, memberOf,objectGUID,objectSid,primaryGroupID,pwdLastSet,sAMAccountType”

Another Example: To export for any given SamAccountName:

ldifde -f Exportuser.ldf -s <Server1> -d “dc=Export,dc=com” -p subtree -r “(&(objectCategory=person)(objectClass=User)(givenname=*))” -o “badPasswordTime,badPwdCount,lastLogoff,lastLogon,logonCount, memberOf,objectGUID,objectSid,primaryGroupID,pwdLastSet,sAMAccountType”

6. Exporting Objects from an Entire Forest (any given attribute will be exported with –i switch)

If you need to import everything from a forest you need to run LDIFDE command against Global Catalog server:

For example, to perform the export operation outlined against a GC, the LDIFDE command would be:

ldifde -f Exportuser.ldf -s Server1 -t 3268 -d “dc=Export,dc=com” -p subtree -r “(&(objectCategory=person)(objectClass=User)(givenname=*))” -l “cn,givenName,objectclass,sAMAccountName”

7. Simple Import of current domain: It will import only domain data NOT the Forest-Specific.

ldifde -i -f INPUT.LDF

8. Simple Export of current domain:   It will export only domain related data NOT the Forest-Specific.

ldifde -f OUTPUT.LDF

9. Export of a domain with supplied credentials:


           -d “cn=users,DC=DOMAINNAME,DC=Microsoft,DC=Com”

           -r “(objectClass=user)”

10. Exporting User or Person or Organizational Unit:

ldifde -v -s w2ks -d “dc=slowe,dc=com” -p subtree -r “(objectClass=clss_name)” -f usersonly.txt

You’ll notice a number of additional parameters here:

  • ·        -v turns on verbose mode so that I could see the results
  • ·        -d specifies the root of the search. While it was not required for this search, I included it to show you the format.
  • ·        -p narrows the search to the subtree in question. The other options for the –p parameter are base and onelevel.
  • ·        -r is used in the example with a parameter of “(objectClass=person)”. This parameter specifies the LDAP filter to use for LDIFDE. In my case, I wanted only people, so I chose an objectClass of “person.”

11. A Simple VBScript to change a user’s password: You can also modify strUser and strOU value:

strUser = InputBox(“Enter full name of user”)

strOU = InputBox(“Enter OU where user’s account resides”)

Set objUser = GetObject(“LDAP://CN=” & strUser & “,OU=” & strOU & “,DC=testdomain,DC=local”)

objUser.SetPassword “password”

MsgBox “Done!”

12. To change a user’s password using LDIFDE tool:

The following sample Ldif file (chPwd.ldif) changes a password to newPassword:

dn: CN=TestUser,DC=testdomain,DC=com
changetype: modify
replace: unicodePwd

ldifde -i -f chPwd.ldif -t 636 -s dcname -b username domain password

Default Server for Active Directory



This article explains about the problem when opening a Group Policy in a forest where you have more than 1 or more domain controllers and running on a different sites.


When you open up Active Directory Users and Computers > Right Click an OU > Property > Go to Group Policy Tab and Open the GPMC or Edit Group Policy > then again you right click on a Policy and click on Edit > then snap-in will open the policy but it will open on a very distant server.

You will see something like that:

Policy Name [name of the distant server]


This happens because when you open a GPO it contacts the Domain Controller for editing GPO according to the settings configured in GPO. By default it contacts PDC Emulator to avoid the collisions in FRS.


To resolve this you can set a policy setting in GPO:

If multiple administrators manage a common GPO, all administrators should use the same domain controller when editing a particular GPO in order to avoid collisions in the File Replication service (FRS).

Use the Change Domain Controller function to specify the domain controller to be used for a given domain or for all sites in a forest. In each case, you have four options:

The domain controller with the Operations Master token for the PDC emulator (the default option)

Any available domain controller

Any available domain controller running Windows Server 2003 or later.

This domain controller: Select a specific domain controller to be used.

More Information

Group Policy: Change Domain Controller Selection: