Browse by Tags

Hi all, Jonathan here again with the latest edition of the Intermittent Mail Sack. We've had some great questions over the last few weeks so I've got a lot of material to cover. This sack, we answer questions on: Issues upgrading DFSR hub servers to Windows Server 2012 AD FS Sign-out behavior...

Hello sports fans! So this has been a bit of a hectic time for us, as I'm sure you can imagine. Here's just some of the things that have been going on around here. Last week, thanks to a failure on the time servers at USNO.NAVY.MIL, many customers experienced a time rollback to CY 2000 on their...

Jonathan here. Chuck Timon over on the AskCore blog has a new post that you folks testing with Windows Server 2012 should know about. If you're playing around with Hyper-V, do yourself a favor and have a read before you call Support. Logon Failures Involving Virtual Machines in Windows Server 2012...

Hello everyone. Jonathan here again with another Public Service Announcement post. Today, Microsoft has published a new Security Advisory: Microsoft Security Advisory (2661254): Update For Minimum Certificate Key Length The Security Advisory and the accompanying KB article have complete information...

Hi folks, Jonathan here. Dave and I wanted to share some important information with you. By now you’ve all been made aware of the Microsoft Security Advisory that was published this past Sunday. If you are a Terminal Services or Remote Desktop Services administrator then we have some information...

Hey all, Ned here. Mike and I start teaching Windows Server 2012 and Windows 8 DS internals this month in the US and UK and won’t be back until July. Until then, Jonathan is – I can’t believe I’m saying this – in charge of AskDS. He’ll field your questions and publish… stuff. We’ll make sure he takes...

Hi folks, Ned here again. It’s been a little while since the last sack, but I have a good excuse: I just finished writing a poop ton of Windows Server 2012 depth training that our support folks around the world will use to make your lives easier (someday). If I ever open MS Word again it will be...

Hello all, Ned here again with our first mail sack in a couple months. I have enough content built up here that I actually created multiple posts, which means I can personally guarantee there will be another one next week. Unless there isn't! Today we answer your questions around: Detecting...

Hi folks, Ned here again. I know this is supposed to be the Friday Mail Sack but things got a little hectic and... ah heck, it doesn't need explaining, you're in IT. This week - with help from the ever-crotchety Jonathan Stephens - we talk about: Multiple WMI Filters LDAP MaxPoolThreads Many...

Hi folks, Ned here again (with some friends ). Everyone knows that Kerberos is Microsoft’s preeminent security protocol and that NTLM is both inefficient and, in some iterations, not strong enough to avoid concerted attack. NTLM V2 using complex passwords stands up well to common hash cracking tools...

Hi folks, Jonathan again. Ned is taking some time off visiting his old stomping grounds – the land of Mother-in-Laws and heart-breaking baseball. Or, as Sandburg put it: “ Hog Butcher for the World , Tool Maker, Stacker of Wheat, Player with Railroads and the Nation's Freight Handler;...

Hi folks, Ned here again with some possibly interesting, occasionally entertaining, and always unsolicited Friday mail sack. This week we talk some: DNS partition absence Controlling DCDIAG event messaging Inventorying SYSVOL replication architecture Weird WMI DFSR volume paths Tightening...

Hi folks, Ned here and welcoming you to 2012 with a new Friday Mail Sack. Catching up from our holiday hiatus, today we talk about: Disabling Administrative Shares Making Get-ADDomainController useful’er Kerberos group bloat USMT moving profiles back from other disks The DFSR...

Hi folks, Ned here again. This week we talk: CA migration from 1 to 2 tier ADAM/ADLDS P2V ABC 123 Managing AGPM security filters Multiple IIS App pools and Kerberos AGPM multi-domain comparison ADUC domain password weirdness DFSR deletion conflict handling Stale account deletion...

Hello folks, Ned here again with another Mail Sack. Before I get rolling though, a quick public service announcement: Plenty of you have downloaded the Windows 8 Developer Preview and are knee-deep in the new goo . We really want your feedback, so if you have comments, please use one of the following...

It’s been four years and 591 posts since AskDS reached critical mass. You’d hope our party would look like this:  But it’s more likely to be: Without you, we’d be another of those sites that glow red hot, go supernova, then collapse into a white dwarf . We really appreciate your comments, questions...

Hello all, Jonathan here again. Today, I want to address a question that we see regularly. As customers upgrade Active Directory, and they inevitably reach the point where they are ready to change the Domain or Forest Functional Level, they sometimes become fraught. Why is this necessary? What does this...

Hi folks, Ned here again. Today we discuss trusts rules around domain names, attribute uniqueness, the fattest domains we’ve ever seen, USMT data-only migrations, kicking FRS while it’s down, and a few amusing side topics. Scottie, don’t be that way. Go Mavs. Creating trusts...

Hello, faithful readers! Jonathan here again. Today I want to talk a little about Certification Authority monitoring and maintenance. This topic was brought to my attention by a recent case that I had where a customer’s CA database had grown to rather elephantine proportions over the course of...

Hi, folks! Jonathan here again, and today I want to talk about what appears to be an increasingly common topic: migrating from a single Windows Certification Authority (CA) to a multi-tier hierarchy. I’m going to assume that you already have a basic understanding of Public Key Infrastructure (PKI...

Three years ago today the AskDS site published its first post and had its first commenter . In the meantime we’ve created 455 articles and we’re now ranked 6th in all of TechNet’s blogs, behind AskPerf , Office2010 , MarkRussinovich , SBS , and HeyScriptingGuy . That’s a pretty amazing group to be lumped...

Hello, Internetz. Jonathan here again. Ned didn’t tell you the whole story. Not only did I have to wait for the truth serum to wear off; I also had to chew my way out the straps. Nevertheless, I’ve emerged victorious and have again successfully stormed the AskDS gates and vanquished Ned....

Hello Internet! Last week, Ned said there wouldn’t be a Mail Sack this week because he was going to be out of town. Well, the DS team was sitting around during our “Ned is out of our hair for a few days” party and we decided that since this is a Team Blog after all, we’d go ahead...

Greetings! This is Jonathan again. I was reviewing Chris’ excellent blog post series on designing and implementing a PKI when I realized that it would be helpful to better document the CAPolicy.inf file. The information in this post relies heavily on the information published in the Windows Server...

This is Jonathan Stephens from the Directory Services team, and I wanted to share with you a recent interoperability issue I encountered. An admin had set up an Apache web server with the OpenSSL mod for SSL/TLS support. Users were able to connect to the secure web site using Firefox, but when they tried...