When a user establishes a Remote Desktop connection to the server this connection will remain active until the user selects “Log Off” from the Start Menu. As such, if a user simply closes the remote desktop window when they’re finished with the server, that username will remain logged on.
The software running on the server to facilitate the Remote Desktop connection will allow for up to two simultaneous administrative sessions.
If a third attempt is made to login to the server, the error discussed here will be shown to the user, and they will be unable to complete the login process.
To get around this error and log into the server, you can log into a special session call the Console Session in order to Log Out the other connections.
To do this, simply type the following in a Start -> Run or Command Prompt.
mstsc /v:00.00.00.00 /admin or mstsc /v:00.00.00.00 /console
Replace 00.00.00.00 with your server’s IP Address.
Alternatively you may also modify the Remote Desktop Shortcut by going to:
For Windows Vista/7:
Click Start, type Remote Desktop. Right Click the shortcut, click Properties.
In the target field paste the following command:
For Windows XP:
Click Start, go to All Program > Accessories > Communications, Right click Remote Desktop Connection and click Properties.
In the target field paste the following command:
Click OK to save the change.
Now type in the IP of your server and you should be able to login via the Console.
query session /server:RZ2ADM002
reset session 2 /server:fk-apps-01 /V
2- session ID
Server name :fk-apps-01
DCDiag /c /v /e /fix /f:c:\DCDIAG.Log
Run a comprehensive test against all DCs in the forest with verbose logging
DCDiag Replication Related tests:
Check Secure Channel
Verifies Secure Channel
Check computer site (also checks secure channel)
Kllist -li 0x3e7
List Kerberos tickets for machine account
Shows replication rpc ports
Run against port 135 to see mapped RPC ports.
Repadmin /SyncAll /A /e /P
Force a full forest replication synchronization of all partitions “pushing” changes out from the DC the command is run on.
Repadmin /options *
Check to see if any DC is misconfigured (Options)
Forest wide replication health check
Repadmin /kcc *
Forces KCC to run on all DCs
Repadmin /kcc /site:SITENAME
Forces KCC to run on all DCs in specified site
repadmin /removelingeringobjects ServerName ServerGUID DirectoryPartition /advisory_mode
Check RPC connectivity
NOTE: If LinkValueReplication=NO, then it’s Windows 2000 Forest Functional Mode.
Repadmin /queue <DCNAME>
See replication queue
Or Perf counter: NTDS_DRA Pending Replication Synchronizations
Repadmin /showrepl /v
Information about replication partners – shows NEVER replicated DCs
Information about NC Up-to-dateness Vector
Information about connection objects
Shows InvocationID & Retired InvIDs
Repadmin /siteoptions SERVERNAME /site:SITENAME +Win2k3_Bridges_Required
When BASL is disabled, this site option configures Intersite Mesaging to develop the intersite cost matrix useful for DFS.
See AD object history
Active Directory Common Ports Used:
|135||RPC Endpoint Mapper|
|464||Kerberos Change Password|
|3269||Global Catalog (SSL)|
|9389||ADWS (AD Powershell)|
Windows Server 2008 (and newer) DCs use IANA RPC port range: 49152 – 65535
-DatabasePath “c:\Windows\NTDS” `
-DomainMode “Win2012” `
-DomainName “test.net” `
-DomainNetbiosName “test” `
-ForestMode “Win2012” `
-LogPath “C:\Windows\NTDS” `
-Sysvolpath “C:\Windows\SYSVOL” `
More info Link:
the system reboot or user logoff is impossible for production reasons. At the same time you need to use the rights, access or apply new policies right now. There is an opportunity to update the membership of an account in Active Directory groups without computer restart or user relogin.
You can get the list of groups the current user is a member of in the command prompt using the following command:
The list of groups a user is a member of is displayed in the section The user is a part of the following security groups.
Kerberos tickets can be reset without the restart of a computer using klist.exe . Klist is included in OS Windows since Windows 7. For XP and Windows Server 2003 it is installed as a part of Windows Server 2003 Resource Kit Tools.
To reset the whole cache of Kerberos tickets on a computer (a local system) and update the computer membership in AD groups, run the following command in the command prompt with the administrator privileges:
klist -lh 0 -li 0x3e7 purge
After running the command and updating the policies, all policies assigned to the AD group using Security Filtering will be applied to the computer.
As for the user. Suppose that the user domain account has been added to the Active Directory group to access a file share. Obviously, without re-login a user won’t be able to access it.
Reset all Kerberos tickets of the user with this command:
To see the updated list of groups, run a new command prompt window using runas for a new process to be created with a new security token.
For example, the AD group has been assigned to a user to access a network share. Try to access it using its FQDN name (e. g., \\lon-fs1.woshub.loc\Install) and make sure that the TGT ticket has been updated:
The network share to be accessed using the AD group will open without user re-login (!!! You must use the FQDN name).