Wednesday, April 10, 2013

Warning: Attribute userAccountControl of DC is: 0x82020

When running a DCDiag at a customer site today I had the following error occur.

Warning:  Attribute userAccountControl of DC is: 0x82020 = ( UF_PASSWD_NOTREQD | UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
This may be affecting replication?

It is a bug when we pre-create a computer account in ADUC and then promote it as DC, the UserAccountControl is set to 532512 instead of the default 532480. You need to manually set the vaulue to 532480 in ADSIEDIT.MSC.

UserAccountControl values for the certain objects:
Typical user : 0x200 (512)
Domain controller : 0x82000 (532480)
Workstation/server: 0x1000 (4096)

Change it to represent 0x82000.

 

8 comments:

  1. Thanks a lot. It was exactly the case. The computer object was created manually.
    Alexandre Augagneur

    ReplyDelete
  2. Worked like a charm and Microsoft needs lots of "smoke and mirrors".....thanks!!!

    ReplyDelete
  3. I cannot change any value in adsiedit. How do you make write access to it?

    ReplyDelete
  4. make sure your account has security permissions to modify the object.

    ReplyDelete
  5. get-adobject -filter "objectcategory -eq 'computer'" -searchbase "ou=domain controllers,dc=contoso,dc=loc" -searchscope subtree -properties distinguishedname,useraccountcontrol|select distinguishedname,name,user
    accountcontrol|where {$_.useraccountcontrol -ne 532480}|%{set-adobject -identity $_.distinguishedname -replace @{useraccountcontrol=532480} -whatif}

    ReplyDelete