Share via


AD Troubleshooting

AD and Domain-related issues and troubleshooting methods for Active Directory.

For configuration , Online Responder revocation provider either has no CRL information or has stale CRL information

This is typically related to the CRL's of the issuing CA or Root CA having expired in their current...

Author: Ingolfur Arnar Stangeland Date: 12/09/2011

Cached logons and CachedLogonsCount

A co-worker of mine had a case with the following description:We've set the CachedLogonsCount...

Author: Ingolfur Arnar Stangeland Date: 12/06/2011

SENS and Sensibility

SENS is an acronym for the System Event Notification Service.On Windows XP/W2k3 SENS is baked into...

Author: Ingolfur Arnar Stangeland Date: 11/25/2011

The return of PAC-mania [AKA some reasons why PAC verification can fail]

There's tons of good stuff out there on Kerberos PAC verification - but with current trends showing...

Author: Ingolfur Arnar Stangeland Date: 11/14/2011

The Legacy of the Past Tense

When working with Microsoft technologies you'll inevitably come across references to Legacy API's,...

Author: Ingolfur Arnar Stangeland Date: 10/26/2011

Bad Data error message in FIM CM web portal

A customer with a FIM CM installation called in with the following problem description:We have an...

Author: Ingolfur Arnar Stangeland Date: 10/17/2011

CAPI2 event ID 11 retake

A customer put the following questions to one of my colleagues: On a lot of our Windows 7 clients...

Author: Ingolfur Arnar Stangeland Date: 09/27/2011

ADFS Event ID 364 on ADFS 2.0 proxy

Problem:The following is logged in the event log on an ADFS Proxy or ADFS Server:Log Name: AD FS...

Author: Ingolfur Arnar Stangeland Date: 09/16/2011

The return of the son of Visio Network Topology Diagrammer

The Microsoft Active Directory Topology Diagrammer is back in a fresh new release from June 2011, a...

Author: Ingolfur Arnar Stangeland Date: 09/12/2011

Event ID 29 when starting KDC service on Windows Server 2008 R2 DC's

I got the following escalation the other week: We’re getting Event ID 29 on our new W2k8 R2...

Author: Ingolfur Arnar Stangeland Date: 09/12/2011

Using Wevtutil to capture and view the CAPI2 Operational log

CAPI2 events are logged to Application LogsMicrosoftWindowsCAPI 2Operational.However, CAPI2 logging...

Author: Ingolfur Arnar Stangeland Date: 09/09/2011

The effect on Cached Logons when Smart Card is required for interactive logon is set

I had a very interesting escalation last week:We want to require our users to log on to our Windows...

Author: Ingolfur Arnar Stangeland Date: 08/29/2011

Massaging the XP registry for logon performance

There are two registry settings on Windows XP clients that have been observed to be key catalysts...

Author: Ingolfur Arnar Stangeland Date: 08/29/2011

How to create 1 million OU's and linked GPO's using PowerShell

If you find yourself with a dull moment on a Monday afternoon and feel like capacity testing your...

Author: Ingolfur Arnar Stangeland Date: 08/23/2011

Debug shortcuts for FIM/ILM/CLM

When getting an error back from one of the CLM policy modules that are loaded by the CA ("denied by...

Author: Ingolfur Arnar Stangeland Date: 07/31/2011

Credential Roaming and NTDS.dit bloat

Following up on a previous post about Credential Roaming (aka DIMS):...

Author: Ingolfur Arnar Stangeland Date: 06/14/2011

ADCS CA Server disaster recovery steps when smartcard logon is required but no valid CRL can be published

Consider the following disaster recovery scenario: The CA has become temporarily unavailable, the...

Author: Ingolfur Arnar Stangeland Date: 05/23/2011

Smartcard logon using certificates from a 3rd party on a Domain Controller and KDC Event ID 29

I was looking at the Windows Server 2008 R2 KDC architecture with my colleague Jan earlier today...

Author: Ingolfur Arnar Stangeland Date: 05/17/2011

Setting up ADFS 2.0 as an IDP for Visma Proceedo

I've put together a Word document with the details on how to set up a federation trust between Visma...

Author: Ingolfur Arnar Stangeland Date: 05/02/2011

The CA certificate that disappeared after the CMOS battery died

A colleague on our PKI Server alias got the following question from a partner:Our newly installed...

Author: Ingolfur Arnar Stangeland Date: 05/02/2011

Why is autoenrollment only happening if initiated manually through the MMC?

We resolved the following case recently: On our W2k8 R2 Domain Controllers, autoenrollment is not...

Author: Ingolfur Arnar Stangeland Date: 04/13/2011

Need to implement a test CA from scratch?

In that case, check out the Test Lab Guide: Base Configuration...

Author: Ingolfur Arnar Stangeland Date: 04/07/2011

Why can't I see any certificate templates when creating a certificate request within the IIS 7.x MMC?

My colleague Jan had the following case recently:Customer verbatim:We've created a custom web server...

Author: Ingolfur Arnar Stangeland Date: 04/06/2011

Why can't I see my local smartcard readers when I connect via RDP?

The way smartcard redirection works is that there is a code snipped in Winscard.dll that is only...

Author: Ingolfur Arnar Stangeland Date: 03/27/2011

Smartcard Redirection Diaries

Last month we finally closed two bugs that I've been engaged in on and off for well over a year and...

Author: Ingolfur Arnar Stangeland Date: 03/24/2011

OCSP error when verifying with Enterprise PKI MMC (PKIVEW)

If you see a red ‘X’ in the Enterprise PKI MMC when verifying the status of the OCSP Responder you...

Author: Ingolfur Arnar Stangeland Date: 02/03/2011

Automatic logon to RDS using Smartcards with multiple certificates (with or without TS Gateway)

Got the following escalation recently from a customer that was implementing TS Gateway and...

Author: Ingolfur Arnar Stangeland Date: 01/27/2011

DCDIAG and the Not-N'sync Home Server

A customer called in with questions about the following error she received in Dcdiag:I ran DCDIAG /V...

Author: Ingolfur Arnar Stangeland Date: 01/12/2011

Credential Providers simplified pt1

GINA is dead.... the main reason is the fact that having more than one GINA on a system was...

Author: Ingolfur Arnar Stangeland Date: 12/21/2010

The 4 basic principles of PKI Troubleshooting

First of all; PKI is easy once you understand the basic principles. Don't give up :)When...

Author: Ingolfur Arnar Stangeland Date: 11/09/2010

The problem with problems...

Let's say you're looking at a glaring Red event in your event log that has an ominous ring to it or...

Author: Ingolfur Arnar Stangeland Date: 10/12/2010

ISA/TMG team in Sweden is hiring

Interested and qualified parties should check out...

Author: Ingolfur Arnar Stangeland Date: 09/20/2010

CAPI2 Event ID 11 errors on machines that don't have access to the Internet

See also http://blogs.technet.com/b/instan/archive/2011/09/27/capi2-event-id-11-retake.aspx for...

Author: Ingolfur Arnar Stangeland Date: 08/12/2010

Remote EFS decryption and Trusted for Delegation requirements

One of our customers reported the following: We have been evaluating EFS on Windows 7 as part of our...

Author: Ingolfur Arnar Stangeland Date: 08/11/2010

How FIM2010 CM & CLM 2007 search for users

User with FIM2010/CLM/ILM management permissions logs on to the CM website, accesses one of the...

Author: Ingolfur Arnar Stangeland Date: 07/29/2010

Can't find script engine "VBScript" for script after installing MS10-020

Summer is here and support volumes trickle down to a minimum as people jump into their SUV's and...

Author: Ingolfur Arnar Stangeland Date: 07/20/2010

Everything you wanted to know about Extended Validation but were afraid to ask

Well, maybe not quite... but hopefully it helps explain the concept better. SSL is not the trusted...

Author: Ingolfur Arnar Stangeland Date: 07/12/2010

The importance of being up to date

One of the best tips my mentor gave me when I started at Microsoft 7 years ago was the following:My...

Author: Ingolfur Arnar Stangeland Date: 07/07/2010

The case of the mysterious 10 minute logon delay

While looking at other things in Windows 7 I noticed that the Winlogon Notification timeout has been...

Author: Ingolfur Arnar Stangeland Date: 07/06/2010

UseSubjectAltName and smartcard logon

On Windows 7 clients, if a smartcard certificate contains a Subject Alternate Name (SAN) it will by...

Author: Ingolfur Arnar Stangeland Date: 06/16/2010

Exchange Powershell get-user cmdlet only recognizes certificates using the X500 format

The Windows OS supports 7 different types of entries in the Subject Alternate Names extension of...

Author: Ingolfur Arnar Stangeland Date: 05/31/2010

Event 6398 and Forefront Server Security

Customers may get this issue from time to time on every Sharepoint WFE server except one whenever...

Author: Ingolfur Arnar Stangeland Date: 05/31/2010

AD Recycle Bin and the conspicuously cloned user accounts conundrum

AD Users & Computers has a relatively unknown functionality that is exposed when you create a...

Author: Ingolfur Arnar Stangeland Date: 05/10/2010

The Smartcard Removal Policy Service and VPN

The ScPolicySvc service works by monitoring a specific registry key (See Deconstructing the...

Author: Ingolfur Arnar Stangeland Date: 05/04/2010

W2k3 R2 Adprep and isDefunct

Same as later versions of ADPRep.exe, the version of Adprep that comes with Windows Server 2003 R2...

Author: Ingolfur Arnar Stangeland Date: 04/30/2010

The disappearing IAS certificate mystery

When PEAP is being set up on an IAS server, IAS asks for a certificate that it can use for setting...

Author: Ingolfur Arnar Stangeland Date: 04/19/2010

The caveats of using Group Policy Preferences on Terminal Servers

Note: this entry is about the Group Policy Preferences component and one aspect of it (which is...

Author: Ingolfur Arnar Stangeland Date: 04/15/2010

FIM 2010 and the effects of inheriting problems from your parent (OS)

From Angelo; a simple solution to a difficult problem that occurs when FIM falls victim to external...

Author: Ingolfur Arnar Stangeland Date: 04/01/2010

Deconstructing the Smartcard Removal Policy Service

Windows Vista and Windows Server 2008 introduced a new service that is dedicated to monitoring the...

Author: Ingolfur Arnar Stangeland Date: 03/08/2010

Windows 7 attempts to make LDAP queries to root domain during enrollment operations

In a case I worked recently, we discovered a side-effect of the new cross-forest enrollment...

Author: Ingolfur Arnar Stangeland Date: 02/24/2010

<Previous Next>