Tag Archive: Domain Controller

Feb 19

Windows 2008 NSPI Connection Changes

Windows 2008 changed the NSPI from unlimited to 50 connections. This can affect a number of applications including Symantec , Blackberry , and others. The real issue involves 3rd party (non-Microsoft) products (again, like Symantec & Blackberry) . While Symantec may recommend setting this value to 0xffffffff (~4 billion) effectively rolling back this setting (to …

Continue reading »

Feb 12

DNSLint: DNS Troubleshooter

One of the best DNS tools a Windows admin can use is DNSLint. While nslookup is ok for quick DNS lookups, DNSLint is like the swiss army knife of DNS troubleshooting. DNSLint popular command options: Test domain DNS records:  dnslint /d domain.com Test Active Directory records:  dnslint /ad <DC_IP_ADDRESS> /s <DNS_SERVER> Note: Add /v for …

Continue reading »

Feb 04

Powershell Code: Finding Orphaned Group Policy Objects

Group Policy is an interesting thing when it comes to Active Directory components. One part of the Group Policy (GPO) is stored in Active Directory, specifically in the CN=Policies,CN=System,DC=domain,DC=tld (for example: CN=Policies,CN=System,DC=metcorp,DC=org) which is replicated via AD replication. The other part is stored in SYSVOL which is replicated by File Replication Services (FRS). Here’s the …

Continue reading »

Feb 02

Powershell Code: Using Powershell to get Active Directory Creation Date & Domain Instantiation

One thing that has been bouncing around my head for a while is a method to identify the date Active Directory was installed. Thankfully, now I don’t have to. A recent Scripting Guy blog post describes exactly how to do this and also list the last dates when Schema Updates occurred. Here’s the code that …

Continue reading »

Jan 30

Kerberos, Active Directory’s Secret Decoder Ring


Kerberos Overview Kerberos is a protocol with roots in MIT named after the three-headed dog, Cerberus. Named because there are 3 parties: the client, the resource server, and a 3rd party (the Key Distribution Center, KDC). Kerberos can be a difficult authentication protocol to describe, so I will attempt to simplify it as best as …

Continue reading »

Jan 25

Active Directory Replication Overview & USN Rollback: What It Is & How It Happens

If you have experienced event id #2095, then you understand how a USN Rollback can negatively affect AD consistency. What is a USN? The USN (Update Sequence Number) is an Active Directory database instance counter that increments every time a single change is committed to the AD database on a Domain Controller. The USN is …

Continue reading »

Jan 25

Powershell Code: Create System State Backup

A common process for Active Directory Admins is to perform a System State Backup to ensure that AD is properly backed up. This backup can be restored when needed in the future. KB944530 describes how to modify the registry so you can backup a server to a volume that contains system files: Warning Serious problems …

Continue reading »

Jan 20

Active Directory Replication Site Link Schedules and Time Zones

Here’s an interesting question regarding AD site schedules: QUESTION: If there is a DC in Los Angeles & a DC in Washington DC with an AD site schedule of 12pm – 5pm, when does replication actually occur? Note: There is a 3 hour time difference between LA & DC. ANSWER: The Washington DC Domain Controller …

Continue reading »

Jan 18

Active Directory Replication Packet Capture

I was interested in what happens behind the scenes when a Domain Controller replicates to another, so I ran a packet capture to see what happens behind the scenes. My test environment for this packet capture is a single forest, single domain environment with two DCs, both of which running Windows Server 2008 R2. On …

Continue reading »

Jan 15

Active Directory Domain Trusts & Trust Password Management

This content is now located at ADSecurity.org. Here’s the direct link: http://adsecurity.org/?p=425

Older posts «

» Newer posts