Active Directory Blog

These are the Updates You Are Looking For

2009-09-23T22:59:00Z

In this blog post we’re going to go over a few techniques that are a bit old school but will come in handy for understanding how things work even if you ultimately use a great monitoring suite like MOM. Now, there are great articles here and here that describe good general ways to start checking your AD replication-and the information on those articles still applies. In this post we’re going to go a bit past and to the side of them though. Before we go further we need to go over USN Highwater-marks...(read more)

September 11th 2001

2009-09-11T17:59:14Z

Eight years ago today people had started their day at the World Trade Center in New York, the Pentagon in Washington DC, and on a few planes. Some were commuting to work destinations and others were already at work. These were people that were working to feed their families, pay their bills, improve their lives. It is certain that, as you and I often do, they would pause in their work or travel to think of their loved ones and when they would see them next. Among those thousands was an IT administrator...(read more)

Bulking Up an ADAM Test Instance

2009-08-14T19:40:00Z

This week I’ve had the need to do some testing around ADAM (also known by it’s shiny new name of Active Directory Lightweight Directory Services or AD LDS). The tests themselves are not directly relevant to this blog post, but in order for the tests to have some validity the ADAM instance needed to be a larger than the default install. In the absence of a nice bulky backup or other directory instance to take previously created objects from I needed a quick method to bulk that bad boy up. ...(read more)

Split IO and Intermittent “File Not Found” Errors

2009-08-10T16:30:00Z

There are a whole host of issues that are simply never seen unless you have a large distributed environment. I know that sounds startling but here’s a hypothetical example. Imagine that you are an online retailer and for every identity that you are transacting business with an object in a AD LDS/ADAM database is created or updated. If you have many business transactions (generally a good thing from a business perspective) then the number of client connections and updates swells accordingly. In an...(read more)

Testing a Credential Provider

2009-07-11T00:43:36Z

Weeks ago I blogged about how single sign on and credential providers work and a scenario you can run into with them. One reader faced a slightly different scenario but was able to apply that topic toward getting his issue resolved. He had installed a credential provider for testing purposes. Unfortunately, once the credential provider was installed he was unable to logon at all. In his case he knew what the problem generally was-the provider he was testing-but initially wasn’t certain how to remove...(read more)

Referral Chasing

2009-07-06T19:14:13Z

It’s easy to forget that when we say “Directory Services” we are really talking about multiple technologies. I remember when the idea that what we support is so much more than simply a user account repository first hit me. It happened when I first read the Windows 2000 Distributed Systems Guide from the Windows 2000 Resource Kit. This was, and in many ways still is, the “go to” reference and starting point for DS knowledge, and it made the idea that we support a collection of disparate but often...(read more)

Important Security Bulletin

2009-06-09T23:21:00Z

I wanted to do a quick post on an important security bulletin. It’s Microsoft Security Bulletin MS09-018 – Critical . This security update is to address a vulnerability in Active Directory. I’m pasting the Executive Summary below, but I highly recommend that you read the entire bulletin and apply the updates. Executive Summary This security update resolves two privately reported vulnerabilities in implementations of Active Directory on Microsoft Windows 2000 Server and Windows Server 2003, and Active...(read more)

Thoughts on Single Sign On and Credential Providers

2009-05-26T19:35:26Z

We use the term single sign on (SSO) to describe a variety of behaviors in Windows and other applications where the result is simply to prevent the user from being prompted to provide their credentials again and again; to ideally enter their credentials only once at initial logon. Active Directory and the integrated authentication which it provides does this very well, and can be extended to other Microsoft applications like SQL, SharePoint, Exchange and others from other companies as well. There...(read more)

DCs and Network Address Translation

2009-04-22T16:11:00Z

A lot of planning goes into the features and capabilities of each Windows release. Over the years I’ve noticed that there is not a great deal of awareness out in the general public for just how much work and labor goes into a new version of Windows. We’ll most often hear someone say something like “Microsoft comes out with a new version of Windows every few years”….a statement which glosses over the concerted effort of thousands of people in planning, writing, testing and documenting each feature...(read more)

When Smartcard Logon Doesn't

2009-04-06T17:48:00Z

Authentication is entering every facet of our lives nowadays. It is common to have multiple passwords: passwords for work, home email, and Internet websites to name a few. It’s easy to have a lot of different passwords, and equally easy to use only one and risk a widespread identity breach. Passwords are one way of guaranteeing the identity of an individual in a communication but that’s just a start. Two factor authentication is becoming more prevalent in the corporate world, and may someday soon...(read more)

Taking Out The Trash

2009-03-24T18:38:00Z

There will be times when you have to make big changes in your Active Directory. Sometimes those big changes mean deleting a lot of objects. I’ve personally needed to match customer environments by creating tens of thousands of AD objects just to have the beginnings of a matching environment. For my test forests I can leave those objects around after I’m done and not have to worry about things. But if I have a production forest I will probably want to delete unused objects. I’ll also want to reclaim...(read more)

Downgrade "Attack"? A little more info

2009-03-20T18:56:00Z

I decided that we needed some more detail and to give a walk through scenario on this downgrade attack deal I mentioned a while back in a blog post . As a recap, a customer called in after noticing the events below appearing intermittently but repeatedly-and always in the sequence of one after the other- in the System event log: Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40960 Date: 01/01/2009 Time: 8:07:01 PM User: N/A Computer: FS123 Description: The...(read more)

VSS Snapshots and You

2009-02-23T17:01:09Z

I find myself doing blog posts on things that are not frequent enough for most experienced admins to be aware of since it wouldn’t come across their desk often. The reason for that is that in my role I receive the least common unresolved issues that occur from our customers. When I receive a few of them over the years I feel that there can be some value in documenting them informally on the blog. This one is a case in point. For years we’ve used the Volume Shadow Copy Service as the foundation...(read more)

Gauging Size Differences in AD Databases

2009-02-16T16:45:00Z

We occasionally receive support calls which revolve around the topics of “why is the Active Directory database on DC A different in size than that on DC B?”. It’s easy to dismiss the question out of hand but there are real life scenarios where this can be an important question. And there are real life AD uses that can bring you to the point where you are asking that question. In previous blog posts, for different reasons, I’ve occasionally touched upon the fact that AD is stored essentially on one...(read more)

Tabula Rasa

2009-01-14T17:15:00Z

I was well and truly stumped a few months ago. I joke that once a year I am flat out wrong, and rarely do I have nothing to say on a subject. The 'once a year I may be flat out wrong' statement may be true simply because after 15 years in the IT industry I’ve learned to avoid letting broad definitive statements out of my mouth unless I am certain. I also rarely say something is impossible. Too frequently in the past I’ve been proven wrong after such proclamations. Oh the embarrassment in the IT world...(read more)