Too Much of a Good Thing

  A while back I wrote a blog post about setting up Kerberos constrained delegation. As a bit of an re-introduction, a lot of the value of the Kerberos authentication protocol is that it allows an application or service to impersonate a user in order to get resources on that users behalf. This impersonation is… Read more

Scary Sounding Errors

We have a temporary role in CSS where support folks will help out in supporting prerelease (also known as beta) software.  I’ve worked a couple of Windows betas, and it’s a great experience.  I mention this since I remember a few years ago during the beta of a prior Windows release where there was an… Read more

Name Hijacked, Bystander DC Hangs

I learn more about AD and other things every day, which is part of the fun of this job we do-learning about how things work. This story does a good job of lending some understanding to something that can be tough to understand-trust secure channels. This story begins with a customer contacting us regarding a… Read more

Rumpo Venatus

The five or six people who have read my little bio snippet on Technet read that I like to play video games-specifically Xbox 360 games. I was doing just that the other night-playing Fallout 3-when my wife walked into the study to ask for help with all of the viruses which had just been detected… Read more

Troubleshooting a Memory Leak in Lsass.exe

Although we have a team of engineers who are dedicated to troubleshooting general server performance related problems Microsoft Directory Services specialists are expected to be the “go to” people for Active Directory and domain controller related performance issues. This is especially true when the Lsass.exe process is noticed to be the using more resources than… Read more

Why! Won’t! PAC! Validation! Turn! Off!

A while back I wrote a blog post regarding PAC (Privilege Attribute Certificate) validation in Microsoft Kerberos. We’ve had enough interest in this lately, particularly around the idea of disabling it, that it seemed like a good idea to post about this again and add some more detail. The reason for the Shatneresque drama in… Read more

Updated: NTLM and MaxConcurrentApi Concerns

    Over the past few years we’ve learned more about “NTLM and MaxConcurrentApi Concerns” and we’ve even come up with some new ways of addressing them.   The starting point for learning more is the Knowledge Base article You are intermittently prompted for credentials or experience time-outs when you connect to Authenticated Services.   ********* Although… Read more

DNS Scavenging and AD

  Recently I wrote a post about how, in an uncommon scenario, Active Directory integrated DNS could lose an entry regarding a domain controller in a global SRV record.   Here’s another aspect of AD integrated DNS which you can run into, particularly if you are spending energy tweaking your environment at all.   So let’s… Read more

A Complicated Scenario Regarding DNS and the DC Locator SRVs

When we do initial interviewing of a candidate for a job here in the CSS Directory Services team a question we’ll often start with is “how important is DNS to Active Directory?”. The person’s answer-if the correct answer of very important is given- is a great place to start with more detailed DNS questions. Questions… Read more

Monitor AD Replication Much?

  I want to point out an excellent resource for an administrator out there who is responsible for Active Directory replication in their environment.  The resource is a comprehensive and detailed article solely on using Repadmin.exe.   The article goes over what Repadmin.exe can do, adds explanations for the options in the help file, and gives… Read more