Browse by Tags

Heya folks, Ned here again. Rather than continue the lie that this series comes out every Friday like it once did, I am taking the corporate approach and rebranding the mail sack. Maybe we’ll have the occasional Collector’s Edition versions. This week month, I answer your questions on: The semi-myth...

Hi all, Ned here again to talk further about managing your RID pool . By default, a domain has capacity for roughly one billion security principals, such as users, security groups, managed service accounts, and computers. If you run out, you can’t create any more. There aren’t any domains with that many...

Hey all Rob Greene here again. Yeah, I know, it’s been a while since I’ve written anything for you good people of the Internet. I recently had an interesting issue with the Active Directory Web Services and the Active Directory Windows PowerShell 2.0 modules in Windows 7 and Windows Server...

Hi guys, Joji Oshima here again. When troubleshooting Kerberos authentication issues, a network capture is one of the best pieces of data to collect. When you review the capture, you may see various Kerberos errors but you may not know what they mean or if they are real problems. In this post, I’m going...

Hey all, Ned here with a quickie: Robert Paige just published an interesting read on Windows Server 2012 Dynamic Access Control over at the Windows Server blog: http://blogs.technet.com/b/wincat/archive/2012/07/20/diving-deeper-into-windows-server-2012-dynamic-access-control.aspx It highlights the work...

[This is a guest post from Joe Isenhour, a Senior Program Manager in Windows Server. You may remember him from his previous ADFS claims rule post . If you are not yet up to speed on the DAC security suite in Windows Server 2012, I recommend our own Mike Stephens’ treatise Understand and Troubleshoot...

Hey all, Ned here again with one of my rare public service announcement posts: In August 2012, Microsoft will issue a software update for Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. The update will block the use...

Hey all, Ned here with a quick “xerox” post: the Dynamic Access Control developers have released a good intro on their octo-feature through the Windows Server Blog: Introduction to Windows Server 2012 Dynamic Access Control It’s written by Nir Ben-Zvi, a Program Manager on the Windows Server development...

Hello all, Ned here again with our first mail sack in a couple months. I have enough content built up here that I actually created multiple posts, which means I can personally guarantee there will be another one next week. Unless there isn't! Today we answer your questions around: Detecting...

Hi folks, Ned here again (with some friends ). Everyone knows that Kerberos is Microsoft’s preeminent security protocol and that NTLM is both inefficient and, in some iterations, not strong enough to avoid concerted attack. NTLM V2 using complex passwords stands up well to common hash cracking tools...

Hi folks, Jonathan again. Ned is taking some time off visiting his old stomping grounds – the land of Mother-in-Laws and heart-breaking baseball. Or, as Sandburg put it: “ Hog Butcher for the World , Tool Maker, Stacker of Wheat, Player with Railroads and the Nation's Freight Handler;...

Ned here again, with a public service announcement similar to the previous one we did for RSA as it implicitly affects so many Microsoft customers. Symantec has announced: Symantec can confirm that a segment of its source code has been accessed. Upon investigation of the claims made by Anonymous...

Hi folks, Ned here again with some possibly interesting, occasionally entertaining, and always unsolicited Friday mail sack. This week we talk some: DNS partition absence Controlling DCDIAG event messaging Inventorying SYSVOL replication architecture Weird WMI DFSR volume paths Tightening...

Hi folks, Ned here and welcoming you to 2012 with a new Friday Mail Sack. Catching up from our holiday hiatus, today we talk about: Disabling Administrative Shares Making Get-ADDomainController useful’er Kerberos group bloat USMT moving profiles back from other disks The DFSR...

Hiya world, Ned is back with your best questions and comments. I’ve been off to teach this fall’s MCM , done Win8 stuff , and generally been slacking keeping busy; sorry for the delay in posting. That means a hefty backlog - get ready to slurp. Today we talk: Weirdness with NETDOM...

Hello folks, Ned here again with another Mail Sack. Before I get rolling though, a quick public service announcement: Plenty of you have downloaded the Windows 8 Developer Preview and are knee-deep in the new goo . We really want your feedback, so if you have comments, please use one of the following...

Hi folks, Ned coming to you from the secret underground redoubt, where the cable is out, the wife is at grad school , and the dogs are napping as autumn finally reaches North Carolina. I’m not a fan of blog posts that only aggregate links and don’t offer original thought. Today I make...

Hello again, this is guest author Herbert from Germany. It’s harder to let go of old components and protocols than dropping old habits. But, I’m falling back to an old habit myself…there goes the New Year resolution. Quite recently we were faced with a new aspect of an old story...

Hiya folks, Ned here again. When interviewing a potential support engineer at Microsoft, we usually start with a softball question like “what are the five FSMO roles?” Everyone nails that. Then we ask what each role does. Their face scrunches a bit and they get less assured. “The RID Master… hands out...

Hi. This is your guest writer Mark Renoden . I’m a Senior Premier Field Engineer based in Sydney, Australia and I’m going to talk to you about the use of Event Forwarding to collect security events. This is particularly useful when: You have specific events you’re looking for...

Hiya folks, Ned here again. This week we talk: DC DNS A Records and Web Servers Forwarding Security event log subscriptions Domain password filters Auditing NTLM vs NTLMv2 on Win2003 Programmatically determining if UNC is DFS namespace DFSR and Excel Shared Workbooks DFS, DC,...

Hi guys, Joji Oshima here with my first post. A common problem we see is SID translation failure. The problem usually occurs when you add users or groups from a trusted domain into your domain local groups. What you hope to see is the friendly names of the users, and their domain: Unfortunately...

Hi folks, Ned here again. This week we talk GUI metadata cleanup, your useless manager (attributes), USMT abandonment and weight issues, the meaning of the DFSR nothing state, and the usual “other stuff.” Metadata cleanup when moving DCs The Manager and ManagedBy attributes Overriding...

Hi folks, Ned here again. This week we talk about 10 reasons not to use list object access dsheuristics, USMT trivia nuggets, poor man’s DFSDIAG, how to get network captures without installing a network capture tool, and some other random goo. Oh yeah, and friggin’ Smurfs. The downsides...

Hi folks, Ned here again. Today we discuss trusts rules around domain names, attribute uniqueness, the fattest domains we’ve ever seen, USMT data-only migrations, kicking FRS while it’s down, and a few amusing side topics. Scottie, don’t be that way. Go Mavs. Creating trusts...