Lookin At Some AD Dumpage

Understanding how things work is as much of a tool as anything included in the Adminpack or Support Tools.    If you know how things work, you know what to expect in normal behavior, and what questions to ask when the behavior your seeing is abnormal.   For example… J   We had an customer who… Read more

Vista Networking, An Issue With a Limited View

Every few years we release a new operating system and, no matter how much testing, training and documentation we have, some unexpected behaviors occur.  We at Microsoft spend a lot of effort to try and prevent problems from occurring in our products at all, but if they do occur we focus on figuring out what… Read more

Smartcard Logon Considerations, or How I Learned To Love Authentication with Smartcards

A few times of the past we’ve received calls from customers where they had some really interesting concerns with using smartcards for domain authentication.      There’s some base knowledge to be had with respect to Kerberos.  Just a quick mention-yes, when you talk about Microsoft Windows and the Kerberos authentication protocol, we are compliant.   Wikipedia… Read more

Short Post…Domain Join

A common thing we need to deal with as Directory Services people is difficulty adding a client as a domain member, also known as ‘domain join’.  For Windows SKUs which support being a domain member this is the first step into having the computer take advantage of the authentication, centralized account administration and all that… Read more

CeeKwuhl and Kurbyeros

It’s been a while! Sorry for the delay since the last post.  It has been a hectic few weeks.  I’ve been temporarily assigned as a beta support person, which means that I have been working on Windows Vista and Longhorn Server, assisting with filed (and filing) bugs for seen behavior and design change requests. So… Read more

Delegation (No, I Don’t Mean The Method I Use To Evade Work)

Kerberos delegation scenarios can be some of the most difficult problems for an admin to troubleshoot and resolve.  Much of that has to do with the variety of services (also known as applications in non-Kerberos speak) which can be delegated to and from.  Each service may be code written to work a particular way, as… Read more

A Quick Addition…

It occurred to me that my post from last week was a bit lacking in the technical detail.   As a recap, the issue was regarding the scenario of:   -Locked a computer when well connected (DC reachable across the network) -Unlocked computer when still well connected and saw the Kerberos cache flushed -Some time… Read more

Locked, Unlocked…Whatever, I Just Want Access

A while back we had a customer contact us that was seeing something with authentication that they were struggling with understanding.   They had a lot of small, remote sites where it was impractical to have a local domain controller.  So each site relied on WAN network connectivity to receive domain authentication (aka communicate with… Read more

Many Headed Dog Equals Much Confusion

One of the more complex technologies that a Microsoft Directory Services specialist supports is Kerberos authentication.    When Windows 2000 debuted this was something that was documented well in RFC and whitepaper, but perhaps not thoroughly understood by most people who use our products.  People running other operating systems had a leg up in that… Read more

Changing the Name and Minding the Gap

First, let me start off by announcing the slight name change of the blog to Active Directory Blog.  It just seems too searchalicious, certainly better than previous, where I could tell that I had a very small but loyal following.  Since my goal is to spread words around I thought it’d be good to change. … Read more