Online memory of an Active Directory PFE
An Active Directory Blog
A Domain Controller is not a Domain Computer
Today I spent half a day troubleshooting an issue with Authentication Silos that I finally tracked...
Date: 12/10/2018
What's new in Active Directory 2019? Nothing.
OK, so there is not precisely "nothing" new in AD 2019, but as a management summary it will do....
Date: 12/02/2018
Quickly find potential Kerberoast victims
Lately I have been talking a lot about the Kerberoast exploit with my customers. Before I dive in...
Date: 04/25/2018
Logging on to Azure for your everyday job
Sometimes life is about the little things, and one little thing that has been bothering me is...
Date: 02/11/2018
Azure Batch for the IT Pro - Part 2
This is the second and final part of a blog series with a walkthrough for Azure Batch. The first...
Date: 01/12/2018
Azure Batch for the IT Pro - Part 1
I spent some time on working with Azure Batch for a customer, and what struck me that it was not so...
Date: 01/12/2018
Download the original Active Directory Branch Office Deployment Guide
During the great Windows Server 2003 content purge on TechNet in the summer of 2016 a lot of...
Date: 01/09/2018
Get-UniqueString: generate unique ID for Azure Deployments
When deploying resources to Azure, you sometimes need to generate a world-wide unique name. Examples...
Date: 12/23/2017
Best practices for a stable AGPM deployment
Over the years I have worked a lot with Advanced Group Policy Management (AGPM), our solution for...
Date: 12/11/2017
Do you have plaintext passwords in your Azure deployments?
If you are developing deployments for Azure you will encounter situations where you need to use...
Date: 12/02/2017
Azure Quickstart Template: create forest with one or two domains
A lot has happened in the Azure world since I last published this short series on deploying an...
Date: 11/29/2017
Check your DNS for WINS lookup -- then get rid of it
It is surprisingly often that I encounter customers who have a WINS dependency in an odd place: in...
Date: 11/02/2017
The Active Directory 2016 PAM Trust: how it works, and why it should come with a safety advisory
We have long been working on increasing security in the design and operations of Active Directory....
Date: 06/19/2017
PKI: which templates are built-in and which are from my company?
A colleague asked me a question on behalf of his customer. They were doing a discovery in a rather...
Date: 05/24/2017
PKI: which templates are published where?
Windows Server has two kinds of Certificate Authorities: Standalone and Enterprise. This strangely...
Date: 05/23/2017
The well-known SID -1000
It is not every day that you discover a new well-known SID, but today I got mine. I know... if I...
Date: 04/27/2017
Get rid of accounts that use Kerberos Unconstrained Delegation
Suppose you are managing an enterprise Active Directory. You will have people at your desk that need...
Date: 04/18/2017
Find missing SPN registrations
Active Directory admins are probably well aware of how Kerberos works. If you need a little...
Date: 03/19/2017
Azure Template to deploy a forest with two domains, Part 3 -- visualizing the template
This is part 3 in a series about writing a complex Azure AMR template. This is the full list: Part...
Date: 03/06/2017
Azure template to deploy a forest with two domains, Part 2 -- understanding the template structure
This is the second blog in a 3-part series. This is all of them: Part 1: using the template Part 2:...
Date: 02/28/2017
Azure template to deploy a forest with two domains, part 1 -- using the template
This is Part 1 in a series. This is the whole series: Part 1: using the template Part 2:...
Date: 02/16/2017
Why you can still have duplicate SPNs in AD 2012 R2 and AD 2016
As an AD admin you are probably familiar with the problem of duplicate Service Principal Name (SPN)...
Date: 02/08/2017
Uniqueness requirements for attributes and objects in Active Directory
If you are involved in writing or using provisioning code for Active Directory you will be aware of...
Date: 02/03/2017
GPMC slow to start? GPO reports failing? You may be missing an index.
See if you recognize this: You have lots of OUs in the domain. At least a couple of thousand. Group...
Date: 11/25/2016
LDAP query prettifier
For some reason I have spent a lot of time looking at LDAP queries in the last few weeks. The simple...
Date: 11/24/2016
How admins can cheat at changing their password
Here is a little known trick that you can do if you have AD permissions to manage your own account:...
Date: 11/04/2016
Hotfix 2 for AGPM 4.0 SP3 allows you to keep custom Read permissions
We released a silent update to AGPM 4.0 SP3, last september. Find it here:...
Date: 10/26/2016
Overview of RID pools for the domain
A short one today. A customer had concerns about the RID Pool administration in his domain. Brief...
Date: 10/21/2016
Clearing the ConflictAndDeleted DFSR folder on DCs
Following this earlier post on troubleshooting DFSR replication conflicts for SYSVOL I got some...
Date: 10/19/2016
LDAP: how to do server-side sorting and why it's a bad idea
Active Directory is an object repository, in many ways similar to a database. And like any database,...
Date: 09/24/2016
Find out what SYSVOL on DFSR is doing, part 2
This is a continuation of a previous post:...
Date: 09/16/2016
Find objects in LostAndFound ... for all partitions
I was onsite again today, and we were talking about the Lost and Found container in AD. You know,...
Date: 09/14/2016
Find out what your SYSVOL on DFSR is doing
(Updated 16-9-2016: reference to new post, updated the script with better error checking and a...
Date: 09/06/2016
Find out if your AGPM archive needs updating
For those of you out there using Advanced Group Policy Management a.k.a. AGPM, I have a question:...
Date: 08/19/2016
Does a service account get Group Policy?
Asking the question is answering it: no, it doesn't. This is so natural that you never think about...
Date: 07/10/2016
What is my current Azure Resource Manager subscription?
Just a brief note this time. Like many who learned Azure in the old days of Azure Service Manager...
Date: 07/07/2016
April 2016 - kb3103709 contains five AD hotfixes for Windows Server 2012 R2
Update 6-28-2016: Security update MS16-081 (June 2016) described in kb3160352, has the latest AD...
Date: 06/28/2016
Workaround for the ADU&C search bug with advanced tabs missing
With a bit of luck you learn something every day in this business, and today a customer showed me a...
Date: 06/27/2016
Copying many files to Onedrive for Business - preventing sync errors
Over the years I have collected a large number of files that I keep hoarding for all sorts of good...
Date: 06/14/2016
Foreign Security Principals and Well-Known SIDS, a.k.a. the curly red arrow problem
So I was at a customer today, and for some reason or another we ended up looking at the members of...
Date: 05/24/2016
Search for Preferred Bridgehead servers
Just a quickie for today. I was talking to a friend about Preferred Bridgehead servers. This is an...
Date: 05/18/2016
Force replication throughout the Forest
So there are a million posts already on how to force Active Directory replication, I know that. Mine...
Date: 05/01/2016
Azure VM Backup: beware of Windows Server 2008 R2
Since March 2015 we have the possibility to backup and restore entire VMs running in Azure. If you...
Date: 04/24/2016
whoami
My name is Willem Kasdorp, and I'm a Premier Field Engineer based out of the Netherlands. In my day...
Date: 04/23/2016