Canberra Premier Field Engineering: Team Blog

Technical notes from Canberra's team of Microsoft Field Engineers.

Browse by Tags

Tagged Content List
  • Blog Post: Identify Accounts with Kerberos Pre-Authentication Disabled (In the UI)

    If you need a repeatable way to identify accounts with Kerberos pre-authentication disabled you can do so in the AD Users and Computers UI. (Or PowerShell, or LDP or... ). I personally use this UI a bit because you can configure it and leave it as a neat value add for the customers ADUC console after...
  • Blog Post: Auditing Group Policy changes

    Hi there, it's Jimmy from the Canberra office on managing and detecting changes to Group Policy. In this post I'm planning on discussing Group Policy, the Advanced Group Policy Management (AGPM) tool, and tracking/auditing changes to Group Policy. This post is written with Windows Server 2008 R2 in mind...
  • Blog Post: Un-Hosting & Re-Hosting Active Directory Partitions

    This technique allows you to "re-host" a partition on an Active Directory domain controller without dumping all the other read only partitions (like you would by simply un-checking the global catalog option). It saves time, replication traffic and reduces the impact on your domain controller in cases...
  • Blog Post: Granular Active Directory replication for advanced troubleshooting scenarios

    This post introduces an advanced functionality of repadmin.exe which allows us to initiate replication between domain controllers that do not share a connection object. This is useful when you need to be able to predict where a domain controller will replicate from. Think of any scenario where you know...
  • Blog Post: Active Directory Replication: Change Notification & You

    'Normal" Active Directory replication occurs almost immediately between replication partners in the same site (5 seconds after the change is made). 'Normal Replication' between different sites (say Canberra and Dallas) occurs per schedule with the smallest configurable value being 15 minutes. This post...
  • Blog Post: Kerberos Troubleshooting

    There is an amazing white paper published on this topic which is available here: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=21820 . If you really want to have a good mess about with Kerberos, it is the important white paper to read. The purpose of this post is to record...
  • Blog Post: Create a quick 100 users with PowerShell

    1..100 | ForEach { Net User “TestUser$_” Password1 /ADD /Domain}
  • Blog Post: Identify the ISTG's

    To locate the ISTG role holders for all sites Click Start , click Run , type Ldp , and then click OK . On the Connection menu, click Connect . In the Connect dialog box, leave the Server box empty. In Port , type 389 , and then click OK . On the Connection menu, click Bind . In the...
  • Blog Post: Dumping the AD Database

    A good way to gain understanding into the way AD works is to take a look inside the database. To achieve this: 1. Start Ldp.exe on the domain controller 2. Connect to local host, and then bind as an administrator. 3. Click on the Browse > Modify from the menu at the top. 4. Edit Attribute...
  • Blog Post: Auditing Improvements

    Big improvements from 2003 to 2008 in the level of granularity and also the detail. For example, audit logs can tell old and new values now. To view list of Audit categories: “ auditpol /list /subcategory:* ” To view the current configuration: “ auditpol /get /category:* ”...
  • Blog Post: Testing the DcLocator Process

    Comments Off DcLocator calling DSGetDC Name function: NLTEST / DS GETDC:contoso.com http://msdn.microsoft.com/en-us/library/ms675983%28VS.85%29.aspx DcLocator calling the DSGetDC Open function: NLTEST / DNS GETDC:contoso.com http://msdn.microsoft.com/en-us/library/ms675985%28VS.85%29.aspx...
  • Blog Post: Multiple Domain Controllers in a site with a RODC

    Generally a RODC is designed for sites where physical security is an issue, so placing a RWDC in the same site may not be ideal. But there are situations where it would work. For example, a logical site might span two physical locations that are very well connected (one secure, one not secure) and administrators...
  • Blog Post: Adding attributes to the RODC Filtered Attribute Set

    To add an attribute to the Filtered Attribute Set (the stuff that wont replicate to a RODC) you first need to know what the existing value of the searchflags is. For this example, working with the “drink” attribute of the user class. Goodness knows we cant risk having the drink attribute...
  • Blog Post: Forest Functional Levels - What you get

    Windows 2000 Default AD Features Windows 2003 - Forest Trusts - Domain Rename - Link Valued Replication - RODC (Requires a full 2008 + RWDC in the Forest) - Improved KCC algorithms - Improved ISTG algorithms - Inetorg can be converted to User, and vice versa - AZMAN and...
  • Blog Post: Domain Functional Levels - What you Get

    Windows 2000 Native: - Universal Groups - Group Nesting - Group Conversion between security and distribution - SID HIstory Windows 2003: - Rename domain controllers (NETDOM.exe) - LastLogonTime attribute is replicated - UserPassword attribute can be set as effective password on...
  • Blog Post: Group Policy Notes

    Where to look for policies that have been applied to the user and computer: Computer: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\History User: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\History Group Policy Preferences vs Group...
  • Blog Post: Kerberos Delegation Lab

    If you want to mess around with Kerberos delegation but dont want to install any heavy multi-tiered application this lab setup might be what you are looking for. The basic overview diagram looks like this: On WFE01 (web front end 01) i installed the basic IIS setup. Then on the default website...
  • Blog Post: Kerberos Notes

    Kerberos is not a Microsoft technology, it was developed by MIT and documented as RFC 1510 (1510 is Kerberos Version 5). With that in mind, some quick notes on what changed between Kerberos popping up in Windows 2000 and Windows 2003. 2 Key extensions - Protocol Transition and Constrained Delegation...
  • Blog Post: "Preparing Network Connections" - Domain Controller in a Lab

    If you get yourself into trouble with DNS on a domain controller you might sit on the "Preparing Network Connections..." screen for quite some time. By make a mess i mean - you have a DC pointing to a DNS server that is down (with no alternate), or maybe you modify the Domain Controllers IP address without...
  • Blog Post: 2003 Branch Office Deployment Guide

    The 2003 Version of the Branch Office Deployment Guide (BODG) is brilliant. It takes you through an entire large scale active directory deployment that you can set up in a lab. It has step by step instructions along the way which leave you with a fully functional and reasonably complex AD play pen when...
Page 1 of 1 (20 items)