Identify Accounts with Kerberos Pre-Authentication Disabled (In the UI)

If you need a repeatable way to identify accounts with Kerberos pre-authentication disabled you can do so in the AD Users and Computers UI. (Or PowerShell, or LDP or… ). I personally use this UI a bit because you can configure it and leave it as a neat value add for the customers ADUC console…

0

Auditing Group Policy changes

Hi there, it’s Jimmy from the Canberra office on managing and detecting changes to Group Policy. In this post I’m planning on discussing Group Policy, the Advanced Group Policy Management (AGPM) tool, and tracking/auditing changes to Group Policy. This post is written with Windows Server 2008 R2 in mind, but the concepts translate to other releases. Background…

1

Un-Hosting & Re-Hosting Active Directory Partitions

This technique allows you to “re-host” a partition on an Active Directory domain controller without dumping all the other read only partitions (like you would by simply un-checking the global catalog option). It saves time, replication traffic and reduces the impact on your domain controller in cases where you believe you have invalid data hosted…

0

Granular Active Directory replication for advanced troubleshooting scenarios

This post introduces an advanced functionality of repadmin.exe which allows us to initiate replication between domain controllers that do not share a connection object. This is useful when you need to be able to predict where a domain controller will replicate from. Think of any scenario where you know you have a ‘good’ copy of a naming…

1

Active Directory Replication: Change Notification & You

**UPDATE: One of our readers has kindly pointed out the correct intra-site replication interval of 15 seconds – Jimmy** ‘Normal” Active Directory replication occurs almost immediately between replication partners in the same site (15 seconds after the change is made). ‘Normal Replication’ between¬†different sites (say Canberra and Dallas) occurs per schedule with the smallest configurable…

4

Kerberos Troubleshooting

There is an amazing white paper published on this topic which is available here: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=21820. If you really want to have a good mess about with Kerberos, it is the important white paper to read. The purpose of this post is to record my notes taken from the white paper and tested in a lab. I find it…

4

Identify the ISTG’s

To locate the ISTG role holders for all sites Click Start, click Run, type Ldp, and then click OK. On the Connection menu, click Connect. In the Connect dialog box, leave the Server box empty. In Port, type 389, and then click OK. On the Connection menu, click Bind. In the Bind dialog box, provide…

0

Dumping the AD Database

A good way to gain understanding into the way AD works is to take a look inside the database. To achieve this: 1. Start Ldp.exe on the domain controller 2. Connect to local host, and then bind as an administrator. 3. Click on the Browse > Modify from the menu at the top. 4. Edit…

0

Auditing Improvements

Big improvements from 2003 to 2008 in the level of granularity and also the detail. For example, audit logs can tell old and new values now. To view list of Audit categories: “auditpol /list /subcategory:*” To view the current configuration: “auditpol /get /category:*” Subcategory Descriptions: http://support.microsoft.com/kb/947226 Win 2k8 has Last Interactive Logon tracking where a…

0