AD Troubleshooting

AD and Domain-related issues and troubleshooting methods for Active Directory.

Iceland vNext evolution

This blog has been my scratchpad for the last 6 years or so for noting down interesting things...

Date: 07/16/2013

Peeling the onion - how many layers should your PKI have?

I‘ve been talking to a colleague who insists a 1-tier PKI infrastructure is better than a...

Date: 07/05/2013

Assigning a static RPC port to ADLDS or ADAM for replication

Just wanted to put this here as it's not been easy to find this information anywhere:ADLDS registers...

Date: 06/26/2013

God mode on Windows 8

It' s summer, you're bored enough to start reading random newsletters and then you pick up something...

Date: 06/25/2013

ADCS and dedicated CRL-signing certificates

We're seeing what appears to be random revocation checking failures on clients for certificates...

Date: 06/13/2013

PowerShelling your DC's

The following is useful for scenarios where you want to either batch process a command online...

Date: 05/04/2013

Getting FIM CM to inventory all certificate requests made outside of the FIM CM Portal

There's a neat policy module plug-in called "Support for non-FIM CM certificate requests" that's...

Date: 05/02/2013

ADFS, Antivirus and Backup and Monitoring

What do I need to do a Disaster Recovery of ADFS?What exclusions should I configure for my ADFS...

Date: 04/09/2013

The Power of POSH and Get-Help

If you ever find yourself yearning to break into Powershell for extending your technological...

Date: 03/23/2013

Installing ADFS 2.1 on Windows Server 2012 with Windows Internal Database fails if local GPO granting User Rights is overwritten at the Domain or OU-level

During the installation of ADFS 2.1 on Windows Server 2012 the Add-Role wizard grants the local...

Date: 03/21/2013

Upgrading from ADFS 2.0 to ADFS 2.1

[Note: this is a shortcut variation on the steps in the Technet article on...

Date: 03/20/2013

Fiddling with ADFS - end the infinite authentication loop

While working at a customer site the other day I was reminded of an article by Eric Lawrence on why...

Date: 03/20/2013

Quick inventory of all certificates expiring in the next XX days

A simple command line using Certutil to dump out all issued certificates on the server about to...

Date: 02/11/2013

Setting up your first ADFS POC

Here are the steps for setting up a POC for ADFS: First of all, you need to decide on what your...

Date: 02/08/2013

Tweaking ADCS performance

The default settings for ADCS are fine for smaller installations - however, once your CA database...

Date: 01/30/2013

TPM-CSP Autoenrollment failing with 0x8010002e SCARD_E_NO_READERS_AVAILABLE

We're attempting to enroll for certificates using a TPM chip on a laptop - it fails when...

Date: 12/27/2012

ADCS has become site-aware in Windows Server 2012

One of the largely unheralded big new features of Active Directory Certificate Services is that it...

Date: 12/17/2012

Why am I seeing LsaSrv 45058 events on my client?

From Julio:I recently installed a new server running Windows 2008 R2 (as a DC) and the related...

Date: 11/15/2012

XP and W2k3 Clients are by default unable to enroll from W2k12 CA servers

RPC Packet-level Authentication is by default turned on in Windows 2012 CA's.This can also be turned...

Date: 11/11/2012

Installing NDES restarts CertSvc service on target CA server

During the installation of NDES, two certificate templates (“Exchange Enrollment Agent...

Date: 10/27/2012

The tale of the phantom cached logon entry

We're logging on with smartcards to our laptops but we've recently discovered that you're also able...

Date: 10/23/2012

The end of days [for XP support]

In case you missed it - there is now less than 18 months of extended support for the venerable...

Date: 10/02/2012

Why doesn't a user get locked out after a number of invalid password attempts greater than the domain account lockout policy?

We have an account lockout policy of 5 bad password attempts but we're seeing users presenting bad...

Date: 09/17/2012

How to get email notifications about expiring certificates from FIM CM 2010

Just stumbled over this great article on how to do this over on the Technet Wiki at...

Date: 09/06/2012

How to bulk create 10000 users and groups for your test environment

For test lab scenarios where you quickly want to add a few thousand users you can run the following...

Date: 08/20/2012

How to identify if your ADCS has issued any certificates with public keys <1024 bits (in preparation for KB2661254)

On August 14th October 14th an update will be released that will by default affect chain validation...

Date: 08/03/2012

Quick and dirty inventory of certificate requests on a CA server

For troubleshooting purposes you may find the snippet below useful. It does the following: dumps out...

Date: 08/02/2012

Random Kryptonotes

Two separate blog posts to be aware of for anyone interested in cryptography (or Krypto Krap as a...

Date: 07/05/2012

Sending all mail using a postcard vs. using an envelope to protect it

Problem: Your users aren't using encryption for their email (for various reasons) but you still want...

Date: 07/03/2012

Cheat sheet for DFS-N and DFS-R on Windows 2008 R2 and Windows 7

Latest LDR DFSN/DFSR binaries for Windows 2008 R2/Windows 7 (as of 2012-05-31): Server-side:...

Date: 06/02/2012

The certificate template requires too many RA signatures

After copying the default Smartcard Logon or Smartcard User certificate template on a Windows 2008...

Date: 05/24/2012

Certificate Enrollment Web Services primers

From...

Date: 05/20/2012

Debunking Slow Logon Myths

Over the years, the following three causes for slow logons have been mistakenly identified as being...

Date: 05/09/2012

Controlling CSP selection during autoenrollment through the pKIDefaultCSPs attribute

Now that I've switched roles within Microsoft I will also be posting occasionally on the Swedish PFE...

Date: 05/09/2012

ADFS case sensitivity

ADFS is case-sensitive for the most part - but there are some sections of ADFS 2.0 where you might...

Date: 05/08/2012

Windows 8 shortcut keys

For the last couple of months I've been running with the Windows 8 Consumer Preview on my laptop....

Date: 05/01/2012

I'm your Clone Baby DC

While doing some research on whether servers with identical Sids (I.e. that have been cloned without...

Date: 04/24/2012

Cheat sheet for Smartcard Redirection on W2k8 R2 RDP servers

Available Updates for Remote Desktop Services (Terminal Services) in Windows Server 2008...

Date: 04/16/2012

PreferLogonDC issues on W2k8 R2 DC's

A hotfix has recently been issued that resolves an issue where the Windows 7/Windows 2008 R2 client...

Date: 04/15/2012

Enrollment from Windows XP clients against Windows 8 CA server failing

When a certificate request is received by a certification authority (CA), encryption for the request...

Date: 03/26/2012

New hotfix for intermittent OCSP revocation failure issues on domain controllers available

A new hotfix for Cryptnet.dll on Windows Server 2008 R2 has been released which covers a scenario...

Date: 03/14/2012

Alternative methods to getting a standalone CA to issue smartcard certificates

We want to implement a smartcard solution but we're not ready for an implementation internally. We...

Date: 03/08/2012

Event ID 16944 - Certificate OID error on Domain Controllers during a successful smartcard logon

We're getting event ID 16944 events logged on our DC's every time a user logs on with a smartcard...

Date: 03/06/2012

Using S/MIME certificates for non-repudiation

Our current S/MIME certificate based on the User template allows users to both encrypt and sign...

Date: 02/15/2012

Deconstructing the KDC certificate processing functionality

For a DC to be able to service smartcard logons the DC must have a valid and suitable certificate...

Date: 02/02/2012

Changing the Primary Domain DNS name of this computer to "" failed.

This is a bogus error message that can be safely ignored - it's caused by the domain join code...

Date: 01/14/2012

Primers for building a highly available Active Directory environment

Notes from the field on things to consider with regards to maintaining Active Directory:Hardware...

Date: 01/05/2012

The Dark Side of Virtualization

Over the years I've been engaged in several AD disaster recovery scenarios where things ultimately...

Date: 01/03/2012

Using Wevtutil to capture and view the ADFS Debug log

When troubleshooting ADFS server-side issues it can be useful to turn on ADFS Debug logging on the...

Date: 12/15/2011

Windows 8 features

The Win8 Product Teams have started blogging about new features in the upcoming Windows 8 release....

Date: 12/13/2011

Next>