AD Troubleshooting
AD and Domain-related issues and troubleshooting methods for Active Directory.
Iceland vNext evolution
This blog has been my scratchpad for the last 6 years or so for noting down interesting things...
Date: 07/16/2013
Peeling the onion - how many layers should your PKI have?
I‘ve been talking to a colleague who insists a 1-tier PKI infrastructure is better than a...
Date: 07/05/2013
Assigning a static RPC port to ADLDS or ADAM for replication
Just wanted to put this here as it's not been easy to find this information anywhere:ADLDS registers...
Date: 06/26/2013
God mode on Windows 8
It' s summer, you're bored enough to start reading random newsletters and then you pick up something...
Date: 06/25/2013
ADCS and dedicated CRL-signing certificates
We're seeing what appears to be random revocation checking failures on clients for certificates...
Date: 06/13/2013
PowerShelling your DC's
The following is useful for scenarios where you want to either batch process a command online...
Date: 05/04/2013
Getting FIM CM to inventory all certificate requests made outside of the FIM CM Portal
There's a neat policy module plug-in called "Support for non-FIM CM certificate requests" that's...
Date: 05/02/2013
ADFS, Antivirus and Backup and Monitoring
What do I need to do a Disaster Recovery of ADFS?What exclusions should I configure for my ADFS...
Date: 04/09/2013
The Power of POSH and Get-Help
If you ever find yourself yearning to break into Powershell for extending your technological...
Date: 03/23/2013
Installing ADFS 2.1 on Windows Server 2012 with Windows Internal Database fails if local GPO granting User Rights is overwritten at the Domain or OU-level
During the installation of ADFS 2.1 on Windows Server 2012 the Add-Role wizard grants the local...
Date: 03/21/2013
Upgrading from ADFS 2.0 to ADFS 2.1
[Note: this is a shortcut variation on the steps in the Technet article on...
Date: 03/20/2013
Fiddling with ADFS - end the infinite authentication loop
While working at a customer site the other day I was reminded of an article by Eric Lawrence on why...
Date: 03/20/2013
Quick inventory of all certificates expiring in the next XX days
A simple command line using Certutil to dump out all issued certificates on the server about to...
Date: 02/11/2013
Setting up your first ADFS POC
Here are the steps for setting up a POC for ADFS: First of all, you need to decide on what your...
Date: 02/08/2013
Tweaking ADCS performance
The default settings for ADCS are fine for smaller installations - however, once your CA database...
Date: 01/30/2013
TPM-CSP Autoenrollment failing with 0x8010002e SCARD_E_NO_READERS_AVAILABLE
We're attempting to enroll for certificates using a TPM chip on a laptop - it fails when...
Date: 12/27/2012
ADCS has become site-aware in Windows Server 2012
One of the largely unheralded big new features of Active Directory Certificate Services is that it...
Date: 12/17/2012
Why am I seeing LsaSrv 45058 events on my client?
From Julio:I recently installed a new server running Windows 2008 R2 (as a DC) and the related...
Date: 11/15/2012
XP and W2k3 Clients are by default unable to enroll from W2k12 CA servers
RPC Packet-level Authentication is by default turned on in Windows 2012 CA's.This can also be turned...
Date: 11/11/2012
Installing NDES restarts CertSvc service on target CA server
During the installation of NDES, two certificate templates (“Exchange Enrollment Agent...
Date: 10/27/2012
The tale of the phantom cached logon entry
We're logging on with smartcards to our laptops but we've recently discovered that you're also able...
Date: 10/23/2012
The end of days [for XP support]
In case you missed it - there is now less than 18 months of extended support for the venerable...
Date: 10/02/2012
Why doesn't a user get locked out after a number of invalid password attempts greater than the domain account lockout policy?
We have an account lockout policy of 5 bad password attempts but we're seeing users presenting bad...
Date: 09/17/2012
How to get email notifications about expiring certificates from FIM CM 2010
Just stumbled over this great article on how to do this over on the Technet Wiki at...
Date: 09/06/2012
How to bulk create 10000 users and groups for your test environment
For test lab scenarios where you quickly want to add a few thousand users you can run the following...
Date: 08/20/2012
How to identify if your ADCS has issued any certificates with public keys <1024 bits (in preparation for KB2661254)
On August 14th October 14th an update will be released that will by default affect chain validation...
Date: 08/03/2012
Quick and dirty inventory of certificate requests on a CA server
For troubleshooting purposes you may find the snippet below useful. It does the following: dumps out...
Date: 08/02/2012
Random Kryptonotes
Two separate blog posts to be aware of for anyone interested in cryptography (or Krypto Krap as a...
Date: 07/05/2012
Sending all mail using a postcard vs. using an envelope to protect it
Problem: Your users aren't using encryption for their email (for various reasons) but you still want...
Date: 07/03/2012
Cheat sheet for DFS-N and DFS-R on Windows 2008 R2 and Windows 7
Latest LDR DFSN/DFSR binaries for Windows 2008 R2/Windows 7 (as of 2012-05-31): Server-side:...
Date: 06/02/2012
The certificate template requires too many RA signatures
After copying the default Smartcard Logon or Smartcard User certificate template on a Windows 2008...
Date: 05/24/2012
Certificate Enrollment Web Services primers
From...
Date: 05/20/2012
Debunking Slow Logon Myths
Over the years, the following three causes for slow logons have been mistakenly identified as being...
Date: 05/09/2012
Controlling CSP selection during autoenrollment through the pKIDefaultCSPs attribute
Now that I've switched roles within Microsoft I will also be posting occasionally on the Swedish PFE...
Date: 05/09/2012
ADFS case sensitivity
ADFS is case-sensitive for the most part - but there are some sections of ADFS 2.0 where you might...
Date: 05/08/2012
Windows 8 shortcut keys
For the last couple of months I've been running with the Windows 8 Consumer Preview on my laptop....
Date: 05/01/2012
I'm your Clone Baby DC
While doing some research on whether servers with identical Sids (I.e. that have been cloned without...
Date: 04/24/2012
Cheat sheet for Smartcard Redirection on W2k8 R2 RDP servers
Available Updates for Remote Desktop Services (Terminal Services) in Windows Server 2008...
Date: 04/16/2012
PreferLogonDC issues on W2k8 R2 DC's
A hotfix has recently been issued that resolves an issue where the Windows 7/Windows 2008 R2 client...
Date: 04/15/2012
Enrollment from Windows XP clients against Windows 8 CA server failing
When a certificate request is received by a certification authority (CA), encryption for the request...
Date: 03/26/2012
New hotfix for intermittent OCSP revocation failure issues on domain controllers available
A new hotfix for Cryptnet.dll on Windows Server 2008 R2 has been released which covers a scenario...
Date: 03/14/2012
Alternative methods to getting a standalone CA to issue smartcard certificates
We want to implement a smartcard solution but we're not ready for an implementation internally. We...
Date: 03/08/2012
Event ID 16944 - Certificate OID error on Domain Controllers during a successful smartcard logon
We're getting event ID 16944 events logged on our DC's every time a user logs on with a smartcard...
Date: 03/06/2012
Using S/MIME certificates for non-repudiation
Our current S/MIME certificate based on the User template allows users to both encrypt and sign...
Date: 02/15/2012
Deconstructing the KDC certificate processing functionality
For a DC to be able to service smartcard logons the DC must have a valid and suitable certificate...
Date: 02/02/2012
Changing the Primary Domain DNS name of this computer to "" failed.
This is a bogus error message that can be safely ignored - it's caused by the domain join code...
Date: 01/14/2012
Primers for building a highly available Active Directory environment
Notes from the field on things to consider with regards to maintaining Active Directory:Hardware...
Date: 01/05/2012
The Dark Side of Virtualization
Over the years I've been engaged in several AD disaster recovery scenarios where things ultimately...
Date: 01/03/2012
Using Wevtutil to capture and view the ADFS Debug log
When troubleshooting ADFS server-side issues it can be useful to turn on ADFS Debug logging on the...
Date: 12/15/2011
Windows 8 features
The Win8 Product Teams have started blogging about new features in the upcoming Windows 8 release....
Date: 12/13/2011