Tag: ACTIVEDIRECTORY

  • Cross Forest Authentication part 2 – Creating trusts

    In part of the the forest authentication blog post, we’ve seen that a particular path is used depending on Kerberos or NTLM authentication. We’ve also seen that domain controllers rely on other domain controllers of the forest to find the right domain (and thus object in the AD). The question now is, which domain controller…

  • Query AD for information

    So.. been busy lately.. but here’s a new topic.. Windows 2008? R2? Kerberos? No.. it’s scripting.. I had a customer who wanted to extract information from AD by a custom application. Offcourse we could open port 389 and have them extract the info.. but perhaps it would be easier to just query the Global Catalog…

  • Delegate the right to start/stop replication

    Let’s say you want to isolate a domain controller for a certain time, you would issue the command: repadmin /options +DISABLE_INBOUND_REPL or/and +DISABLE_OUTBOUND_REPL normally this command requires Domain Admin/Enterprise Admin privileges. Why and how to change that below.. first the usual warnings: Playing with ADSIEDIT could damage your domain, please test everything in a lab…

  • Repadmin /expert

    Repadmin is the tool used to troubleshoot replication in an Active Directory forest.. commands like repadmin /replsum (to view replication summary) or repadmin /showutdvec (to view USN per domain controller).. are common commands.. it get’s tougher when we want to create or modify links during troubleshooting.. then we use /add to add replication links between…

  • Next RID number

    So let’s say you want to know how many objects are created on a domain controller, you want to see shen it’s receiving a new RID pool? checkout the RID-SET Set ObjRid= GetObject (“LDAP://CN=RID Set,CN=DC01,OU=Domain Controllers,DC=fabrikam,DC=com”) it lists all the properties that the LOCAL! DC uses to handout RID numbers.. if the rIDPreviousAllocationPool and rIDAllocationPool…

  • Kerberos multiple hops

    You all remember the maximum 2 hops for Kerberos right.. well in Microsoft land it works a little different and it is possible to create a multiple tier Kerberos delegation structure.   Basically we want the following to happen:   Client->IIS1->IIS2->IIS3->IIS4 where all hops require Kerberos authentication   In this case, IIS1, IIS2 and IIS3…

  • Cross forest authentication

    Anyone installed a forest trust before.. probably else you would not be reading this post.. how does authentication work in a forest trust? Well there are two authentication mechanisms in Windows NTLM and Kerberos, both can be used in a forest trust, and both work differently. Setting it up brought me the following authentication schema..

  • Kerberos PAC validation

    http://support.microsoft.com/kb/906736   basically, all Kerberos tickets in windows have a PAC (that holds all the groups of the identity). If the resource that is accessed is NOT running under system account (but user/service), the resource will issue a verification of the PAC at the nearest domain controller. That DC will verify the PAC load and…

  • Cross-forest Authenticate in VBS

    So the problem: All mailboxes of the users are migrated to a central Exchange server, comming from various Exchange 5.5/2003/2003 mailservers (contact me if you want to know how 🙂 ) . and mailboxes where cloned.. now the client needs to be pointed to the new exchange server else Outlook will not work. The challenge,…