Author: rzomerman

  • Deleted DN's in attribute fields

    Let’s say an object in AD has an attribute that is a reference to another object based on DN The targeted object is deleted.. and the attribute field changes to the deleted objects CN like: CN=nameADEL:ff920d6f-d823-4fff-9448-b645bd40d5e2,CN=Deleted Objects,DC=child,DC=ROOTDOMAIN,DC=LOCAL Now when we try to clone that object to create a new object (for example user copy) the AD U&C…

  • Microsoft Certified Master: Windows 2008 – Directory

    !PASSED! As one of the first (now 27 worldwide), I can now call myself an MCM:Windows 2008-Directory!.. Congrats to all others!The Microsoft Certified Master: Windows Server 2008, Active Directory program provides the most in-depth and comprehensive training that is available today for the latest version of Windows Server 2008 with a focus on Active Directory.…

  • Next RID number

    So let’s say you want to know how many objects are created on a domain controller, you want to see shen it’s receiving a new RID pool? checkout the RID-SET Set ObjRid= GetObject (“LDAP://CN=RID Set,CN=DC01,OU=Domain Controllers,DC=fabrikam,DC=com”) it lists all the properties that the LOCAL! DC uses to handout RID numbers.. if the rIDPreviousAllocationPool and rIDAllocationPool…

  • Kerberos multiple hops

    You all remember the maximum 2 hops for Kerberos right.. well in Microsoft land it works a little different and it is possible to create a multiple tier Kerberos delegation structure.   Basically we want the following to happen:   Client->IIS1->IIS2->IIS3->IIS4 where all hops require Kerberos authentication   In this case, IIS1, IIS2 and IIS3…

  • Cross forest authentication

    Anyone installed a forest trust before.. probably else you would not be reading this post.. how does authentication work in a forest trust? Well there are two authentication mechanisms in Windows NTLM and Kerberos, both can be used in a forest trust, and both work differently. Setting it up brought me the following authentication schema..

  • Kerberos PAC validation

    http://support.microsoft.com/kb/906736   basically, all Kerberos tickets in windows have a PAC (that holds all the groups of the identity). If the resource that is accessed is NOT running under system account (but user/service), the resource will issue a verification of the PAC at the nearest domain controller. That DC will verify the PAC load and…

  • Cross-forest Authenticate in VBS

    So the problem: All mailboxes of the users are migrated to a central Exchange server, comming from various Exchange 5.5/2003/2003 mailservers (contact me if you want to know how 🙂 ) . and mailboxes where cloned.. now the client needs to be pointed to the new exchange server else Outlook will not work. The challenge,…

  • Improve Wireless security with Windows Home Server

    Wireless networks are always less protected than wired LANs since they do not require physical access to a cable inside the building. Enterprises use 802.1x security to strengthen the security of the wireless network. With Windows Home server this is also possible. Prior to using the wireless network users are requested to fill in their…