A Domain Controller is not a Domain Computer

Today I spent half a day troubleshooting an issue with Authentication Silos that I finally tracked down to an unexpected issue with a Group Policy. To give you a little background information: Authentication Silos are used to limit to which computers a user can log on. This is especially useful in Tier-0 configurations. To enable…


What’s new in Active Directory 2019? Nothing.

OK, so there is not precisely “nothing” new in AD 2019, but as a management summary it will do. Before you read on I would like to make it perfectly clear that: This information is not official in any way. All information here is based on public information. I had a look in our documentation…


Quickly find potential Kerberoast victims

Read up on the Kerberoast approach to bruteforce the passwords of service accounts, and find out which of your service accounts would be an interesting target.


Download the original Active Directory Branch Office Deployment Guide

During the great Windows Server 2003 content purge on TechNet in the summer of 2016 a lot of valuable documentation was lost. Part of it was recovered in the infamously huge PDF download with 2003 support content, and other content was ported to the new documentation site on https://docs.microsoft.com, but the rest was just gone….


Best practices for a stable AGPM deployment

Over the years I have worked a lot with Advanced Group Policy Management (AGPM), our solution for change management of Group Policy. This small tool is part of Microsoft Desktop Optimization Pack (MDOP). AGPM has always flown under the radar, but is deployed in surprisingly many enterprises. By reviewing and troubleshooting some of these deployments…


Azure Quickstart Template: create forest with one or two domains

A lot has happened in the Azure world since I last published this short series on deploying an Active Directory forest with ARM templates: Part 1: Using the template Part 2: Understanding the template structure Part 3: Visualizing the template Since that time we have had a major advance in the Virtual Machine world with…


The Active Directory 2016 PAM Trust: how it works, and why it should come with a safety advisory

We have long been working on increasing security in the design and operations of Active Directory. In each release from Windows Server 2003, 2008 and up to 2012 R2 you can see steps taken: better encryption, additional Kerberos features, deprecation of old protocols, etc. With Windows Server 2016 we have taken a next step, and…


PKI: which templates are built-in and which are from my company?

A colleague asked me a question on behalf of his customer. They were doing a discovery in a rather messy PKI environment and the question arose: which templates are standard (default), and which ones were created manually? Hopefully they have a good naming convention to make this immediately obvious, but otherwise a deeper look is needed. After…


PKI: which templates are published where?

Windows Server has two kinds of Certificate Authorities: Standalone and Enterprise. This strangely named difference really only means one thing: an Enterprise CA can (must) use templates for certificates it issues. Using templates you enforce standards for your private certificates, and enable desirable features like autoenrollment. A template exists as an object in the Configuration…


The well-known SID -1000

It is not every day that you discover a new well-known SID, but today I got mine. I know… if I just discovered a well-known SID it can hardly be well-known, can it? Let me explain. If you have been around the (Windows) block a few times, you will know what a SID is: a security…