What’s Hybrid Identity?

Hello everyone, Now that I’ve got Azure AD, how can I take advantage of my investments on ADDS? This is the main use case for Azure AD, ie. to extend your on-prem Active Directory to the cloud by means of synchronizing your identities from ADDS to Azure AD. Azure AD Connect is the tool that…


Why do I need Azure AD?

This is an Ice breaker and a question I get all the time and I see it maybe in the same way an electrician would see it 100 years ago… Today we all know about its benefits and mostly take it for granted however at that time only a few knew that electricity could become…


Lingering Objects cleanup

Recently I have been working with a premier customer in South Africa to cleanup their forest from lingering objects. It is a complex environment with 15 domains,30+ sites and 130+ DCs where power failures and network related issues frequently disrupt AD operations. So I wanted to share with you the method I used to remove lingering objects and…


How to prevent the creation of GPOs from outside AGPM (Advanced Group Policy Management)

During my interactions with Premier Microsoft customers I have found out that the main reason for not using AGPM (Advanced Group Policy Management) in order to enforce change control procedures on Group Policy management is the lack of information on how to prevent GPOs from being created or edited outside of AGPM. Basically their experience…


Fine Grained Password Policies GUI in Windows Server 2012 ADAC

Hello my name is Paulo Viralhadas and I’m a Premier Field Engineer at Microsoft. Have you ever used Fine Grained Password Policies? This feature introduced in Windows Server 2008 allows you to override password policy set at the domain level. It applies password settings to subsets of users that you may like to differentiate from…


AD recycle bin feature and Windows Server 2012 GUI

Hello my name is Paulo Viralhadas and I’m a Premier Field Engineer at Microsoft.   The AD recycle bin feature has been released on Windows Server 2008 R2 without a graphical user interface, which made it’s deployment and usability (I mean recovering deleted objects from AD) somewhat difficult for system admins. In this post I…


How to clone a virtual Domain Controller

Hello my name is Paulo Viralhadas and I'm a Premier Field Engineer at Microsoft. On one of my previous posts I wrote about vDC cloning which is my preferred feature in Windows Server 2012 "http://blogs.technet.com/b/reference_point/archive/2012/12/11/so-you-wanted-to-deploy-domain-controllers-faster-now-you-can.aspx". VDC cloning gives you the ability to scale up your production forest and to recover from disasters faster, or simply to…


So you wanted to deploy Domain Controllers faster…Now you can!

A Domain Controller must have a unique name, invocation ID, and security identifier (SID) in the entire forest.Up to Windows Server 2008 R2 promoting “syspreped” standalone images multiple times, was the fastest you could go in order to deploy a large number of Domain Controllers.Sysprep was needed for ensuring that the deployed images were unique….


USN Rollback, Virtualized DCs and improvements on Windows Server 2012.

The USN rollback issue has been causing hundreds of support calls and AD replication halts throughout the world since the introduction of AD in Windows 2000 Server and up to Windows Server 2008 R2. Every DC maintains a table – ReplUpToDateVector – (or Up-to-Dateness Vector) per Naming Context (NC or AD partition).These tables record data from…


Secure Channel Broken – continuation of "The trust relationship between this workstation and the primary domain failed."

While there can be several reasons for AD replication to fail due to an “access denied” error (you may find more information in KB article 2002013 – Troubleshooting AD Replication error 5: Access is denied http://support.microsoft.com/kb/2002013/EN-US), in here we will be focusing on broken secure channel issues on Domain Controllers and how to reset them….