Finding Pesky Stale DNS SRV Records

  Good day to you all – Dougga here with a simple post today using tools you know.   Stale DNS SRV records are common due to no scavenging on DNS zones and each zone has to be setup correctly to have this happen. So, I have often found the "" setup correctly, but the… Read more

Active Directory Risk Assessments – Lessons and Tips from the Field – Volume #1?

Greetings – Hilde here to pass along some wisdom for AD shops everywhere. Recently, I was part of a conversation with a handful of true Active Directory rock-stars here in Premier Field Engineering who have done a lot of AD Risk Assessment Program (RAP) deliveries. As a reminder, the “RAP as a Service” delivery includes a very… Read more

How to Restrict DNS Zone Scavenging When Hosting Multiple Zones on Multiple Servers

  Dougga here – PFE (or “poofy” as one of my customers likes to call us). The DNS scavenging topic never dies – bear with me and I will reveal a not so obvious configuration to control which servers can scavenge a zone. Let’s go with a simple multi-domain forest named that has 3… Read more

Troubleshooting KMS with Process Monitor (ProcMon)

Dougga here with a short and simple post.  I wanted to share an issue that was resolved using tools from SysInternals. Recently I helped discover an odd issue with some KMS servers losing their KMS Server Key and becoming a KMS Client. So where to start troubleshooting… Do you have the right key? Try slmgr.exe… Read more

Understanding the UserAccountControl Attribute in Active Directory

Dougga here. Not a password policy blog post, I am finally off of that issue. But I couldn’t help myself and included something about passwords in this post <grin>. Users and Computers have and attribute called UserAccountControl that dictates some behaviors and characteristics of these accounts. Active Directory administrators should be aware this attribute and… Read more

Active Directory Password Policies – when does a password policy change affect a user?

I’m back! Dougga here again with yet ANOTHER password policy post. You would think I was done with this topic – hopefully the last on this topic for a while. MarkMoro, you may know from this blogasphere, conveyed a question to me from one of our readers that is related to password policy application and… Read more

Fine Grain Password Policy for Active Directory 2008 Domain Does not Apply

Hi, Dougga here again and I just can’t leave password policies alone. So, are you ready for another password policy issue? I saw the hand up in the back, so let’s give it a shot. Previously, I had a post on Fun and Games with Active Directory Password Policies. I would like to call this… Read more

MailBag: RODCs – krbtgt_#####, Orphans, and Load Balancing RODC Connection Objects

Dougga here to answer a couple of quick RODC related questions.  I have been the fortunate PFE to perform ADRAPs (Active Directory Risk Assessment Program) that have had more than the average number of RODCs. I have also reviewed environments with only a few RODCs. During these risk assessments a couple of questions have come… Read more

No Excuses! You Need a Lab for Active Directory 2012.

Many posts that can be found on the new features of directory services on Windows 2012 both from Microsoft and from others. However, you need to get your hands on the features to learn them. Like other PFE that post on this blog I get to talk to you when I am on site. One… Read more

Fun and Games Active Directory Password Policies

Hi All! DougG here to share some insight on password policies – enjoy. We were all excited when Windows 2008 Domain Functional level introduced FGPP (Fine Grained Password Policies). After several years in the field I have not seen abuse of this feature. In-fact, I am pleased to share that those using the FGPP are… Read more