From Julio: I recently installed a new server running Windows 2008 R2 (as a DC) and the related computers running Windows 7 Pro. The computers are joined to the domain. In a computer, which is shared by two users (userA and UserB), I see the following event on the Event Viewer while userA was logged...

We have an account lockout policy of 5 bad password attempts but we're seeing users presenting bad passwords up to several thousand times in the span of a 15 minutes. I'm concerned about whether the policy is active or if we have a possible brute force password attack being attempted. After...

For test lab scenarios where you quickly want to add a few thousand users you can run the following batch files in a DC: :Creates 10000 disabled user accounts with password Password1 For /l %%t IN (1,1,10000) do net user BulkUser%%t Password1 /add /PASSWORDREQ:YES /ACTIVE:NO :Bulk create 1000 groups...

ADFS is case-sensitive for the most part - but there are some sections of ADFS 2.0 where you might not need an exact match. In general you should however still try to make sure you both compy with the standard format for public attributes and settings and maintain consistency when referring to internal...

While doing some research on whether servers with identical Sids (I.e. that have been cloned without Sysprep) propose either a security risk or an operational risk I came across the following blog entry by Mark Russinovich (Dark Lord of the Sid). The essence of it is as follows (I love summarizing...

A hotfix has recently been issued that resolves an issue where the Windows 7/Windows 2008 R2 client "forgets" its dynamic site name during the startup sequence. The net effect of this being that the client always makes additional generic DNS queries which return non-site specific DC names back to...

For a DC to be able to service smartcard logons the DC must have a valid and suitable certificate present in the personal store of the computer account. This is typically autoenrolled for whenever a Windows CA server has been installed into the AD environment. The KDC service on W2k8 R2 monitors the...

This is a bogus error message that can be safely ignored - it's caused by the domain join code ending up in a function which it doesn't need to run anyway during a domain join operation using the GUI. What's failing is the attempt to change the Primary DNS suffix of the machine after the domain join...

Notes from the field on things to consider with regards to maintaining Active Directory: Hardware Diversity - this includes virtualization and SAN's. Read the official Microsoft notes on virtualization recommendations in the Technet article and KB below. DC's are designed to be redundant and distributed...

This is typically related to the CRL's of the issuing CA or Root CA having expired in their current CDP location. To resolve it check that all CA's are able to publish base CRL's and Delta CRL's to the locations defined on the OCSP Responders cert for that configuration. Another scenario is if...

A co-worker of mine had a case with the following description: We've set the CachedLogonsCount registry value to 1 on our workstations because we want to limit the number of cached user logons in the LSA cache on the system. However, this seems to have the side-effect of sometimes making it impossible...

SENS is an acronym for the System Event Notification Service. On Windows XP/W2k3 SENS is baked into Winlogon - in Vista+ it is a separate service hosted by one of the svchost.exe instances on the system. SENS is purely informational and reactive - other components subscribe to SENS notifications...

There's tons of good stuff out there on Kerberos PAC verification - but with current trends showing an increase in incoming cases related to this type of issue I though it would do me good to brush up on this and link the most relevant articles together. In short; PAC verification is the process where...

A customer with a FIM CM installation called in with the following problem description: We have an issue with our FIM CM portal where some smartcards are failing unblock or retire operations. Some cards are working fine but others give a "Bad Data" error message when a management operation is attempted...

A customer put the following questions to one of my colleagues: On a lot of our Windows 7 clients we've noticed they periodically try to download a CAB file from Windows Update , but as our workstations are required to access the Internet via Proxy and they aren't able to authenticate against it the...

The Microsoft Active Directory Topology Diagrammer is back in a fresh new release from June 2011, a must-have tool for anyone with an AD infrastructure beyond the basic setup that wants to get a birds-eye view of their AD topology with the click of a button. Requires Microsoft Office Visio and lots...

CAPI2 events are logged to Application Logs\Microsoft\Windows\CAPI 2\Operational. However, CAPI2 logging is off by default due to performance reasons. To enable CAPI2 Operational logging, wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e: true To clear the log so we only get the...

There are two registry settings on Windows XP clients that have been observed to be key catalysts for slow boot/slow logon scenarios (also referred to as SBSL). On the Windows XP side (SP3 must be present on all clients): Turn on opportunistic locking on the XP clients: - Review http:...

If you find yourself with a dull moment on a Monday afternoon and feel like capacity testing your test lab with a large number of OU's and GPO's - then the following PowerShell script is for you. Note: *Don't* run this in a production environment - this is for testing purposes only. Sample PowerShell...

Following up on a previous post about Credential Roaming (aka DIMS): http://blogs.technet.com/b/instan/archive/2009/05/26/considerations-for-implementing-credential-roaming.aspx With a recent DCR to Windows 7 & W2k8 R2 ( http://support.microsoft.com/kb/2520487 ) it is now possible to filter out...

Consider the following disaster recovery scenario: The CA has become temporarily unavailable, the current CRL and Delta CRL have expired and revocation checking is failing which is preventing smartcard logons. You have the private/public key pair of the CA certificate available and...

The way smartcard redirection works is that there is a code snipped in Winscard.dll that is only invoked at the point in time when it loads. If Winscard is being loaded in a Terminal Session - all calls to that specific instance of Winscard are redirected to Winscard.dll on the host initiating...

Last month we finally closed two bugs that I've been engaged in on and off for well over a year and released two related hotfixes in the February hotfix release batch. In late 2009, our Professional Support team got the following case from one of our ISV Partners (an established provider of security...

Got the following escalation recently from a customer that was implementing TS Gateway and smartcards with multiple logon certificates: When we connect with RemoteApp from our external workstations to the internal Terminal Server SSO seems to work fine if there is only one logon certificate present...

A customer called in with questions about the following error she received in Dcdiag: I ran DCDIAG /V /E /C and found these errors at the end of it: Starting test: Intersite Doing intersite inbound replication test on site Contoso-HQ-CHI: Locating & Contacting Intersite Topology Generator (ISTG...