Assigning a static RPC port to ADLDS or ADAM for replication

Just wanted to put this here as it’s not been easy to find this information anywhere: ADLDS registers a custom RPC port which is by default taken from the dynamic port range 49152-65535, this is NOT the same as the LDAP port specified for the instance. On ADAM the same thing applies but the dynamic…

0

Why am I seeing LsaSrv 45058 events on my client?

From Julio: I recently installed a new server running Windows 2008 R2 (as a DC) and the related computers running Windows 7 Pro. The computers are joined to the domain. In a computer, which is shared by two users (userA and UserB), I see the following event on the Event Viewer while userA was logged…

0

Why doesn't a user get locked out after a number of invalid password attempts greater than the domain account lockout policy?

We have an account lockout policy of 5 bad password attempts but we’re seeing users presenting bad passwords up to several thousand times in the span of 15 minutes. I’m concerned about whether the policy is active or if we have a possible brute force password attack being attempted.   After investigating this closer we…

0

How to bulk create 10000 users and groups for your test environment

For test lab scenarios where you quickly want to add a few thousand users you can run the following batch files in a DC: :Creates 10000 disabled user accounts with password Password1For /l %%t IN (1,1,10000) do net user BulkUser%%t Password1 /add /PASSWORDREQ:YES /ACTIVE:NO :Bulk create 1000 groupsFor /l %%t IN (1,1,1000) do net group Bulkgroup%%t /add…

3

ADFS case sensitivity

ADFS is case-sensitive for the most part – but there are some sections of ADFS 2.0 where you might not need an exact match. In general you should however still try to make sure you both compy with the standard format for public attributes and settings and maintain consistency when referring to internal server names. Example: referring…

3

I’m your Clone Baby DC

While doing some research on whether servers with identical Sids (I.e. that have been cloned without Sysprep) propose either a security risk or an operational risk I came across the following blog entry by Mark Russinovich (Dark Lord of the Sid). The essence of it is as follows (I love summarizing – but you should really read…

3

PreferLogonDC issues on W2k8 R2 DC’s

A hotfix has recently been issued that resolves an issue where the Windows 7/Windows 2008 R2 client “forgets” its dynamic site name during the startup sequence. The net effect of this being that the client always makes additional generic DNS queries which return non-site specific DC names back to the client.  The DC returned from the DNS…

0

Deconstructing the KDC certificate processing functionality

For a DC to be able to service smartcard logons the DC must have a valid and suitable certificate present in the personal store of the computer account.This is typically autoenrolled for whenever a Windows CA server has been installed into the AD environment. The KDC service on W2k8 R2 monitors the personal certificate store…

0

Changing the Primary Domain DNS name of this computer to "" failed.

This is a bogus error message that can be safely ignored – it’s caused by the domain join code ending up in a function which it doesn’t need to run anyway during a domain join operation using the GUI. What’s failing is the attempt to change the Primary DNS suffix of the machine after the domain…

2

Primers for building a highly available Active Directory environment

Notes from the field on things to consider with regards to maintaining Active Directory: Hardware Diversity – this includes virtualization and SAN’s.  Read the official Microsoft notes on virtualization recommendations in the Technet article and KB below.DC’s are designed to be redundant and distributed – try to avoid putting all DC’s in the same domain…

0