Windows 2020?

It’s hard to believe we’ve had 10 years of Windows….however, with the Internet/IT year being 3 months this decade in fact spans 40 years… Windows passed into the new millennium and adulthood in 1999 with Windows 2000, from 1996 we’d had Windows NT 4.0 and 3.51/3.5/3.1 before that of course as well as Windows 2.0/3.0/3.1/3.11…


Optimizing DFS Referrals: SiteCostedReferrals and PreferLogonDC

In a multi-site infrastructure you would under most circumstances want to make sure that the client is accessing Sysvol and Netlogon from a local DC, typically the logon server – or failing that to use the closest DC as determined by the replication costs defined on the site links in AD Sites & Services. Two…


Fun with LDIFDE and MS09-056

The LDIFDE export tool that has shipped with all flavors of Windows since Windows 2000 is one of the more useful tools that can be used for troubleshooting. A fraction of the things you can do with it include: conditional exporting of data from Active Directory bulk modifying specific attributes testing ACL’s through running LDIFDE…


Troubleshooting autoenrollment

From my colleague Maria in the Domains team – a collection of useful bits for troubleshooting autoenrollment issues: On a Windows Server 2003-based or Windows XP-based computer, you cannot obtain certificates from a Windows Server 2008-based certification authority (CA). This issue can occur if the CA is configured to use SHA2 256 encryption or higher…


Troubleshooting AD with Network Monitoring tools

In general, if you have an AD-related issue the following logs are useful: Event logs from the affected machine(s) Component-specific debug logs from the affected machine(s) (Netlogon logs, Userenv logs, IIS logs, etc.) Network traces taken while the problem is happening Procmon traces that show file activity on the affected machine(s) covering the same time…


Changes in default encryption type for Kerberos pre-authentication on Vista and Windows 7 clients cause security audit events 675 and 680 on Windows Server 2003 DC’s

  I had a case recently with the following case description:   We‘re auditing AD security events as per SOX requirements and we seem to be getting a lot of events 675 and 680 after we added Vista and Windows 7 clients to our domain.  We don‘t see any account lockouts or logon issues, are…


The case of the mysterious account lockout coming from Exchange

I worked the following case recently: We have a single user that keeps getting his account locked out every 60 seconds.  We’ve managed to isolate this down to coming from the Exchange server but there isn’t anything pointing in the right direction as to what is causing it. The really strange bit is that if…


Why living in the future is bad when you’re a CA server (aka the story of 0x800b0101 CERT_E_EXPIRED)

I worked on the following case recently: We can’t seem to enroll for certificates from our Windows 2008 OCS Servers, the error we get is “A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.”.  We have no problems requesting certificates from…


Troubleshooting account lockout the PSS way

I‘ve been thinking for some time about pulling together the typical approaches we use when troubleshooting account lockout issues. So… here is the CSS/PSS approach to troubleshooting Account Lockouts. #1 – Look at the Account Lockout Threshold policy that is defined for the Domain. Applications commonly do several retries of logons if the first logon…