Lingering Objects cleanup

Recently I have been working with a premier customer in South Africa to cleanup their forest from lingering objects. It is a complex environment with 15 domains,30+ sites and 130+ DCs where power failures and network related issues frequently disrupt AD operations. So I wanted to share with you the method I used to remove lingering objects and…


How to prevent the creation of GPOs from outside AGPM (Advanced Group Policy Management)

During my interactions with Premier Microsoft customers I have found out that the main reason for not using AGPM (Advanced Group Policy Management) in order to enforce change control procedures on Group Policy management is the lack of information on how to prevent GPOs from being created or edited outside of AGPM.Basically their experience tells…


Fine Grained Password Policies GUI in Windows Server 2012 ADAC

Hello my name is Paulo Viralhadas and I’m a Premier Field Engineer at Microsoft. Have you ever used Fine Grained Password Policies? This feature introduced in Windows Server 2008 allows you to override password policy set at the domain level. It applies password settings to subsets of users that you may like to differentiate from…


AD recycle bin feature and Windows Server 2012 GUI

Hello my name is Paulo Viralhadas and I’m a Premier Field Engineer at Microsoft.   The AD recycle bin feature has been released on Windows Server 2008 R2 without a graphical user interface, which made it’s deployment and usability (I mean recovering deleted objects from AD) somewhat difficult for system admins. In this post I…


How to clone a virtual Domain Controller

Hello my name is Paulo Viralhadas and I'm a Premier Field Engineer at Microsoft. On one of my previous posts I wrote about vDC cloning which is my preferred feature in Windows Server 2012 "". VDC cloning gives you the ability to scale up your production forest and to recover from disasters faster, or simply to…


So you wanted to deploy Domain Controllers faster…Now you can!

A Domain Controller must have a unique name, invocation ID, and security identifier (SID) in the entire forest.Up to Windows Server 2008 R2 promoting “syspreped” standalone images multiple times, was the fastest you could go in order to deploy a large number of Domain Controllers.Sysprep was needed for ensuring that the deployed images were unique….


USN Rollback, Virtualized DCs and improvements on Windows Server 2012.

The USN rollback issue has been causing hundreds of support calls and AD replication halts throughout the world since the introduction of AD in Windows 2000 Server and up to Windows Server 2008 R2. Every DC maintains a table – ReplUpToDateVector – (or Up-to-Dateness Vector) per Naming Context (NC or AD partition).These tables record data from…


Secure Channel Broken – continuation of "The trust relationship between this workstation and the primary domain failed."

While there can be several reasons for AD replication to fail due to an “access denied” error (you may find more information in KB article 2002013 – Troubleshooting AD Replication error 5: Access is denied, in here we will be focusing on broken secure channel issues on Domain Controllers and how to reset them….


"The trust relationship between this workstation and the primary domain failed."

How many times have you came across reports of users complaining that they cannot logon to the domain? Logon fails with “The trust relationship between this workstation and the primary domain failed.” Additionally the NETLOGON service also logs: Event ID 5723 “The session setup from the computer DOMAINMEMBER failed to authenticate.The name of the account…


WMI through firewall

In a number of ocasions have been asked to configure services running under the svchost process to pass through the Firewall on Windows XP.Particularly for WMI access as administrators and applications might need it for performing data collection, monitoring and other administrative tasks. The problem is that Windows Firewall on XP doesn’t allow to add…