Configuring a Windows Server 2008 front-end web enrollment server for delegation

  After you install the web enrollment pages on an external IIS7 web server, 2 additional steps are required: On the service account running the website in IIS 7 (commonly the computer account/Network Service account): –       Trust the security principal for delegation against the back-end server –       The minimum permissions required are for RPCSS and HOST services…


Requiring Smart Cards for logon – what happens when CRL publication fails

Let’s say your organization wants to make smartcards mandatory for all users as part of a security push, i.e. implement ‘two-factor authentication’ (“something you have and something you know”). The concern however is that if revocation checks for either the Domain Controller certificate (from the client side) or the Smartcard certificate (from the Domain Controller…


Dude, where’s my Forest Root?

Let’s look at a hypothetical worst-case scenario: ü  Your AD infrastructure contains one root domain and one or more child domains. ü  You’ve lost all the DC’s in the Root domain due to hardware failure (Example: putting all DC’s in the root domain on the same SAN) ü  There are no usable System State backups…


Time travel and factors that increase client startup or login time

This entry is written concerning the following issue; How applications and services can add to the startup or login time of clients. The basics first; On any operating system, performing any operation takes time.  This is just a fact of life and is more related to the nature of time than a question of performance….


What happens when a group is deleted

A Critsit from a large enterprise customer came in the other day, problem description was as follows: We’ve deleted a test group that contained 25000 users, now our 3rd party login script which looks at group membership for users and performs action based on which groups they are in is failing when it encounters the…


Netlogon 5719 and the Disappearing Domain [Controller]

Netlogon is a client and a server component; when it logs 5719 it is acting as a client and trying to make a network connection that fails for some reason. A Netlogon 5719 event indicates that the client component of Netlogon was unable to locate a DC for the domain it was trying to perform an operation…


What is logged to the Userenv.log file?

Winlogon is the main component that logs data to the Userenv.log file (through userenv.dll). If Userenv debug logging is enabled as per KB 221833, the userenv.log file will include the following: –       Slow link detection –       Machine Group Policy Application –       Processes and applications which start up as part of Userinit.exe (this includes most Startup…


Troubleshooting RODC’s: Troubleshooting domain joins against RODC’s

So, the first question…do you need to deploy the RODC compatibility pack on your XP/2003 clients if you want to deploy RODC’s?  For domain joins (and password changes) against an RODC the answer is most definitely yes.   One of the most important changes implemented in the compack is how the client calls the DsGetDCName function…


Naming schemes to avoid in AD

At some point, you’ll find yourself in the situation where you need to decide on a naming scheme for an Active Directory forest and domain.  This is a critical point and should not be chosen when you’re standing in front of the screen and typing DCPROMO. Let me elaborate a bit… Historically, Microsoft has been…