Category: Active Directory

certificate

Certificate Autoenrollment Failed on Domain Controllers

Introduction Just a short blogpost about troubleshooting existing certificate services within the Active Directory domain. In this case the domain controllers were not able to renew their certificates through autoenrollment. In a meanwhile the existing certs were already expired so LDAPS was no longer available. A group of servers did not find any trouble updating their certs,

Continue Reading
Sysadmin

From the field: RPC client authentication breaks SID translation

SID translation problems Weird things can happen if something goes wrong with the RPC protocol, wheter it’s related to network traffic being blocked by a firewall (yes, I’m talking to you ephemeral ports) or just because the name resolution contains numerous configuration errors. Recently I was asked to troubleshoot SID translation problems over a forest trust. The

Continue Reading
upgrade

Upgrade Your Active Directory and Domain Controllers the Safe Way

Introduction There are several good guides on the internet about upgrading your Active Directory Forest, Domains and Domain Controllers to Windows Server 2012 R2. I’d like to give you my strategy on this subject. It’s not wrong to add new Domain Controllers to your 2003/2008 domain, transfer the FSMO roles and demote the 2003/2008 DC’s,

Continue Reading
Security Breach

Active Directory checks you should run on a regular basis

The following powershell cmdlets will help you identify user accounts in your Active Directory environment that have settings configured that are a joy for hackers. My advise is to schedule the cmdlets or put them in a script to automate the process. Use the export-csv cmdlet piped to create a usable list. For example  |

Continue Reading
kerberos

Illegal cross-realm Ticket and the Rejected Authentication by Kerberos

Introduction Finally I have found some time to write this blogpost in detail. It took place last year somewhere around october and november, so here we go! The other day I received some complaints about not being able to access a CIFS share on the network. Several users acknowledged this, they got the Windows authentication

Continue Reading
powershell

DNS Zone Recovery using Powershell

In case you’ve accidentally deleted a DNS zone it’s good to know how to recover asap and get the deleted zone back in your production environment. I’m using a DNS zone export as a backup of the zone that has been deleted. We admins are lazy so this is the most convenient way to recover a

Continue Reading
testing

Create “Hidden” Active Directory Site for Application Testing Purposes

One of the biggest challenges in Active Directory Domain Controller upgrades are the application member servers, specifically the ones that make use of Active Directory authentication (Ldap). We all know the legacy applications within the organization, they’re still running after ten or more years, nobody knows something about it, there isn’t any documentation left but

Continue Reading
users

How To Get a List of Specified Users and Their Group Membership From Active Directory

Once in a while someone at your company asks you if you can deliver a list of users who are member of administration groups within your Active Directory environment. We want to restrict admin access to a minimum so it’s good to know who are the lucky ones and who are slipped through. 😉

Continue Reading