Secure LDAP does not work using the FQDN of the domain for GCs?

I have been running into this issue a couple of times. You have a forest with multiple domains and you cannot use LDAPs if you are using the FQDN of the domain in your LDAP connection string to connect to a global catalog. Here is a simple scenario: (Note that this is also valid when…

0

Raising the functional level to Windows 2012 or Windows 2012 R2… Will I break anything?

2/26/2016 Update, cf the I disagree with the PowerShell output section. In short, yes… Meaning that it is possible that you are facing the same problem as the one described here: FIX: "The requested mode is invalid" error message when you run a managed application that uses the .NET Framework 3.5 SP1 or an earlier…

4

Raising the functional level – Are you getting cold feet because of KB2260240?

Raising the functional level of your domain is a pretty straight forward operation. It is a mandatory step if you want to start using the Recycle Bin with Windows Server 2008 R2 or other new great security features with the newest versions of Windows. It is super well documented, and among the great resources we…

11

fixfsmo.vbs in PowerShell

I wrote the equivalent of fixfsmo.vbs in PowerShell: Fix-InvalidFsmo.ps1. For those who don't know anything about it, this is a refresher: Error message when you run the "Adprep /rodcprep" command in Windows Server 2008: "Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Contoso,DC=com" http://support.microsoft.com/kb/949257 It does not use Active Directory Web Services therefore works in a…

0

How to detect applications using "hardcoded" DC name or IP?

You look at Windows Server 2012 R2 and you tell yourself: "that would be nice if I could leverage all those new features". Then you remember… Adding new domain controllers is usually not a problem. Besides, if you want to add your new DCs in a smooth way, without impacting the existing environment, you can…

16

Track down LDAPs clients on a domain controller

You probably wonder why that could be a big deal. Usually clients not doing LDAPs are the ones we worry about (for security reasons, simple binds over LDAP aren't your best friends). Yet I have been facing situations where we need to identify who is doing LDAPs. Here is the scenario I have been seeing a couple of times:…

2