Domain Locator Across a Forest Trust

Rob and Mike here. We’re asked, many times, why a user does not authenticate against a local domain controller in the same site when logging on across a forest. We’ve setup the most common scenario to help explain how domain locator works for user logons across a forest. Scenario Let’s explain the typical scenario in… Read more

Vista’s MoveUser.exe replacement

Hi Rob here again. I recently had a customer that needed the functionality of MoveUser.exe from the Windows 2000 Resource Kit available in Windows Vista. The customer had quite a few Windows Vista machines that were not joined to the domain but were now migrating to Active Directory. For their own business reasons they were… Read more

PolicyMaker stops working after installing Windows XP SP3

Hi this is Rob again. We had a couple cases recently where PolicyMaker settings were not applying to computer and users after installing Windows XP Service Pack 3. We found that PolicyMaker client-side extensions (CSE) are not registered after installing Service Pack 3. Examine the following location using regedit: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonGPExtensions You should see the… Read more

Automatic creation of user folders for home, roaming profile and redirected folders.

Hi Rob here again. Periodically we’re asked “what is the best way to auto-create home, roaming profile, and folder redirection folders instead of Administrators creating and configuring the NTFS permissions manually?” The techniques in this post requires you to use the environment variable %USERNAME% in the user’s home folder attribute when you create the users… Read more

Kerberos Authentication problems – Service Principal Name (SPN) issues – Part 3

Rob here. Now we have seen what it looks like when there is no Service Principal Name defined, and when the Service Principal Name is not unique in the forest. We will now cover what things look like when the Service Principal Name is NOT added to the correct account. We are still using the… Read more

Kerberos Authentication problems – Service Principal Name (SPN) issues – Part 2

Rob here. So, we saw in Part 1 what kind of error you could expect when there is no Service Principal Name defined for the Kerberos ticket the application is requesting. The next part I would like to show you is what might be the error message you would get if there were multiple accounts… Read more

Kerberos Authentication problems – Service Principal Name (SPN) issues – Part 1

Hi Rob here again. I hope that you found the first blog on troubleshooting Kerberos Authentication problems caused by name resolution informative and learned something about how to review network captures as well as how the SMB protocol works at a high level when reviewing a network trace. This time we are going to focus… Read more

Troubleshooting Kerberos Authentication problems – Name resolution issues

Hi Rob here. I thought I would show you how we in Microsoft Commercial Technical Support typically troubleshoot Kerberos authentication issues. This discussion should do much to get you more comfortable viewing network traces for Kerberos authentication problems. There are other ways to troubleshoot Kerberos; one could use the Kerberos event logging outlined in KB… Read more

Kerberos for the Busy Admin

Hi Rob here, I am a Support Escalation Engineer in Directory Services out of Charlotte, NC, USA. We work a lot of Kerberos authentication failure issues. Since Kerberos is typically the first authentication method attempted, it ends up having authentication failures more often. One of the great things about Windows is that the product seems… Read more