Interesting findings on SETSPN -x -f

Hello folks, this is Herbert from the Directory Services support team in Europe! Kerberos is becoming increasingly mandatory for really cool features such as Protocol Transition.  Moreover, as you might be painfully aware, managing Service Principal Names (SPN’s) for the use of Kerberos by applications can be daunting at times. In this blog, we will not… Read more

Intermittent Mail Sack: Must Remember to Write 2013 Edition

Hi all, Jonathan here again with the latest edition of the Intermittent Mail Sack. We’ve had some great questions over the last few weeks so I’ve got a lot of material to cover. This sack, we answer questions on: Issues upgrading DFSR hub servers to Windows Server 2012 AD FS Sign-out behavior Dynamic Access Control… Read more

MaxTokenSize and Windows 8 and Windows Server 2012

Hello AskDS Populous, Mike here and I want to share with you some of the excellent enhancements we accomplished in Windows 8 and Windows Server 2012 around MaxTokenSize. Let’s review MaxTokenSize and its symptoms before we jump in to wonderful world of Windows 8 (say that three times fast). Wonderful World of Windows 8 Wonderful… Read more

Monthly Mail Sack: Yes, I Finally Admit It Edition

Heya folks, Ned here again. Rather than continue the lie that this series comes out every Friday like it once did, I am taking the corporate approach and rebranding the mail sack. Maybe we’ll have the occasional Collector’s Edition versions. This week month, I answer your questions on: The semi-myth of Kerberos time skew Finding… Read more

Kerberos errors in network captures

Hi guys, Joji Oshima here again. When troubleshooting Kerberos authentication issues, a network capture is one of the best pieces of data to collect. When you review the capture, you may see various Kerberos errors but you may not know what they mean or if they are real problems. In this post, I’m going to… Read more

Friday Mail Sack: Get Off My Lawn Edition

Hi folks, Ned here again. I know this is supposed to be the Friday Mail Sack but things got a little hectic and… ah heck, it doesn’t need explaining, you’re in IT. This week – with help from the ever-crotchety Jonathan Stephens – we talk about: Multiple WMI Filters LDAP MaxPoolThreads Many-to-one certificate mappings LinkID… Read more

Friday Mail Sack: Best Post This Year Edition

Hi folks, Ned here and welcoming you to 2012 with a new Friday Mail Sack. Catching up from our holiday hiatus, today we talk about: Disabling Administrative Shares Making Get-ADDomainController useful’er Kerberos group bloat USMT moving profiles back from other disks The DFSR service and backups AGPM and “out of band” built-in policy changes USMT… Read more

Friday Mail Sack: Guest Reply Edition

Hi folks, Ned here again. This week we talk: CA migration from 1 to 2 tier ADAM/ADLDS P2V ABC 123 Managing AGPM security filters Multiple IIS App pools and Kerberos AGPM multi-domain comparison ADUC domain password weirdness DFSR deletion conflict handling Stale account deletion ad nauseum AD PowerShell, Get-Acl, and the missing objects that aren’t… Read more

Is this horse dead yet: NTLM Bottlenecks and the RPC runtime

Hello again, this is guest author Herbert from Germany. It’s harder to let go of old components and protocols than dropping old habits. But, I’m falling back to an old habit myself…there goes the New Year resolution. Quite recently we were faced with a new aspect of an old story. We hoped this problem would… Read more

Kerberos and Load Balancing

Hi guys, Joji Oshima here again. Today I want to talk about configuring Kerberos authentication to work in a load-balanced environment. This is a more advanced topic that requires a basic understanding of how Kerberos works. If you want an overview of Kerberos, I would suggest Rob’s excellent post, Kerberos for the Busy Admin. In… Read more