Category: Active Directory

  • Cross Forest Authentication part 2 – Creating trusts

    In part of the the forest authentication blog post, we’ve seen that a particular path is used depending on Kerberos or NTLM authentication. We’ve also seen that domain controllers rely on other domain controllers of the forest to find the right domain (and thus object in the AD). The question now is, which domain controller…

  • FIM RC1 U3 and admin rights

    So I tried to install the FIM RC (u3) in a demo environment, and what a hush hush was that.. My setup was fairly easy, all (except SQL) on a single box.. offcourse reading is not my best skill, but the install went fine.. and the portal was ready for the administrator account (installed it…

  • Query AD for information

    So.. been busy lately.. but here’s a new topic.. Windows 2008? R2? Kerberos? No.. it’s scripting.. I had a customer who wanted to extract information from AD by a custom application. Offcourse we could open port 389 and have them extract the info.. but perhaps it would be easier to just query the Global Catalog…

  • New Active Directory 2008 Forest Recovery Documentation

    So you have implemented Active Directory 2008 .. I hope you did some investigation in backup/restore and offcourse you must update your disaster recovery documentation now.. to help you on your way Microsoft has released a new whitepaper on Forest Recovery for Windows 2008… read before and while fixing your AD.. (preferably before ) http://www.microsoft.com/downloads/details.aspx?familyid=326C8A7A-DCAD-4333-9050-A6303FF3155C&displaylang=en

  • Administrator Lock-out?

    As many may have seen, the Administrator account has some special privileges. It can logon to a workstation/server when no Global Catalog is available and it can always logon. Well seems that always is not entirely true. Just as a regular account the Administrator account gets locked when the password attempts reach the limit as…

  • Windows 2008 SystemStateBackup

    With the release of Windows 2008, the backup mechanism of Windows has also changed. No more NTBackup, but Windows backup, available to your 2008 system as a feature. Also part of that feature is the systemstate backup, you know the one that is utterly Important to restore Domain Controllers. Now the GUI will not let…

  • Did you install Exchange?

    Lots of us install Exchange (what ever version) in our infrastructure.. do you know what Exchange does to your Active Directory.. make a statement order the shirt 😉 Link

  • Default Logon Domain

    When you use Windows 7, Windows 2008 R2 or Vista / Windows 2008 you almost always have to type the domain name during logon.. eg Type your username as ROOTDOMAINUser… annoying: yes.. go to the following group policy to specify the default domain logon: ComputerAdministrative TemplatesSystemLogonAssign a default domain for logon  and set your default logon…

  • Windows 2008R2 features part IV: Managed Service Accounts & Password Reset's

    So we have deployed the Managed Service Accounts, and now we want a password policy set on them.. usually the service accounts have a different password policy set, so most of you will probably use PSO’s (Password Setting Object). In my demo I’ve set a new policy stating that the max age of a password…

  • Windows 2008R2 features part III: Managed Service Accounts

    Password policies can help administrators secure their environment, letting users change their passwords on regular basis makes it harder for hackers to get in to a system by guessing a password. There is one group of accounts though that usually do not have the password policy applied to.. they almost never change their password and…

  • Windows 2008 Features (DFSRMIG)

      The introduction of Windows 2008 brought us the famous Read-Only domain controller, the domain controller without passwords (unless explicitly approved) and one-way replication. That one-way replication also applied to the SYSVOL share. Sysvol is replicated by either FRS or DFSR depending on the initial setup of the domain. If you have upgraded your domain…

  • Windows 2008R2 features part II: Recycle Bin

    Windows 2008 R2 Active Directory introduces the Recycle Bin option. If you deployed Windows 2008 R2 or upgraded your domain to the Windows 2008 R2 schema and you think the recycle bin is active, you are wrong. You have to specifically enable the recycle bin feature. So upgrade your forestlevel and run the following command…