Conficker causes LSASS to consume CPU Time on Domain Controllers

Hi Gautam here, I wanted to blog about a high-impact problem we have been seeing recently. The problem has to do with LSASS consuming a lot of CPU time on your Domain Controllers (DC’s). The cause of this high CPU turns out to be Conficker infected computers throwing bad passwords against the DC’s. The rate… Read more

“The LastLogonTimeStamp Attribute” – “What it was designed for and how it works”

Warren here. In Windows Server 2003 we introduced the lastLogontimeStamp attribute. Administrators can use the lastLogontimeStamp attribute to determine if a user or computer account has recently logged onto the domain. Using this information administrators can then review the accounts identified and determine if they are still needed and take appropriate action. Intended Use It… Read more

Addendum: Making the DelegConfig website work on IIS 7

Hi All Rob here again. I thought I would take the time today and expand upon the Kerberos Delegation website blog to show how you can use the web site on IIS 7. Actually, Ned beat me up pretty badly for not showing how to set the site up on IIS 7 [I sure did…. Read more

Getting a CMD prompt as SYSTEM in Windows Vista and Windows Server 2008

Ned here again. In the course of using Windows, it is occasionally useful to be someone besides… you. Maybe you need to be an Administrator temporarily in order to fix a problem. Or maybe you need to be a different user as only they seem to have a problem. Or maybe, just maybe, you want… Read more

Kerberos Authentication problems – Service Principal Name (SPN) issues – Part 1

Hi Rob here again. I hope that you found the first blog on troubleshooting Kerberos Authentication problems caused by name resolution informative and learned something about how to review network captures as well as how the SMB protocol works at a high level when reviewing a network trace. This time we are going to focus… Read more

Troubleshooting Kerberos Authentication problems – Name resolution issues

Hi Rob here. I thought I would show you how we in Microsoft Commercial Technical Support typically troubleshoot Kerberos authentication issues. This discussion should do much to get you more comfortable viewing network traces for Kerberos authentication problems. There are other ways to troubleshoot Kerberos; one could use the Kerberos event logging outlined in KB… Read more

Special Groups Auditing via Group Policy Preferences

Ned here again. Today I’m going to talk about a new feature of Windows Server 2008 and Windows Vista called Special Groups auditing. While we’re in here, I’ll run through how we can use the new Group Policy Preferences (GPP) client-side extensions to make deploying this fast and easy. We’ll also see some of the… Read more

Kerberos for the Busy Admin

Hi Rob here, I am a Support Escalation Engineer in Directory Services out of Charlotte, NC, USA. We work a lot of Kerberos authentication failure issues. Since Kerberos is typically the first authentication method attempted, it ends up having authentication failures more often. One of the great things about Windows is that the product seems… Read more