AD Troubleshooting
AD and Domain-related issues and troubleshooting methods for Active Directory.
For configuration , Online Responder revocation provider either has no CRL information or has stale CRL information
This is typically related to the CRL's of the issuing CA or Root CA having expired in their current...
Author: Ingolfur Arnar Stangeland Date: 12/09/2011
Cached logons and CachedLogonsCount
A co-worker of mine had a case with the following description:We've set the CachedLogonsCount...
Author: Ingolfur Arnar Stangeland Date: 12/06/2011
SENS and Sensibility
SENS is an acronym for the System Event Notification Service.On Windows XP/W2k3 SENS is baked into...
Author: Ingolfur Arnar Stangeland Date: 11/25/2011
The return of PAC-mania [AKA some reasons why PAC verification can fail]
There's tons of good stuff out there on Kerberos PAC verification - but with current trends showing...
Author: Ingolfur Arnar Stangeland Date: 11/14/2011
The Legacy of the Past Tense
When working with Microsoft technologies you'll inevitably come across references to Legacy API's,...
Author: Ingolfur Arnar Stangeland Date: 10/26/2011
Bad Data error message in FIM CM web portal
A customer with a FIM CM installation called in with the following problem description:We have an...
Author: Ingolfur Arnar Stangeland Date: 10/17/2011
CAPI2 event ID 11 retake
A customer put the following questions to one of my colleagues: On a lot of our Windows 7 clients...
Author: Ingolfur Arnar Stangeland Date: 09/27/2011
ADFS Event ID 364 on ADFS 2.0 proxy
Problem:The following is logged in the event log on an ADFS Proxy or ADFS Server:Log Name: AD FS...
Author: Ingolfur Arnar Stangeland Date: 09/16/2011
The return of the son of Visio Network Topology Diagrammer
The Microsoft Active Directory Topology Diagrammer is back in a fresh new release from June 2011, a...
Author: Ingolfur Arnar Stangeland Date: 09/12/2011
Event ID 29 when starting KDC service on Windows Server 2008 R2 DC's
I got the following escalation the other week: We’re getting Event ID 29 on our new W2k8 R2...
Author: Ingolfur Arnar Stangeland Date: 09/12/2011
Using Wevtutil to capture and view the CAPI2 Operational log
CAPI2 events are logged to Application LogsMicrosoftWindowsCAPI 2Operational.However, CAPI2 logging...
Author: Ingolfur Arnar Stangeland Date: 09/09/2011
The effect on Cached Logons when Smart Card is required for interactive logon is set
I had a very interesting escalation last week:We want to require our users to log on to our Windows...
Author: Ingolfur Arnar Stangeland Date: 08/29/2011
Massaging the XP registry for logon performance
There are two registry settings on Windows XP clients that have been observed to be key catalysts...
Author: Ingolfur Arnar Stangeland Date: 08/29/2011
How to create 1 million OU's and linked GPO's using PowerShell
If you find yourself with a dull moment on a Monday afternoon and feel like capacity testing your...
Author: Ingolfur Arnar Stangeland Date: 08/23/2011
Debug shortcuts for FIM/ILM/CLM
When getting an error back from one of the CLM policy modules that are loaded by the CA ("denied by...
Author: Ingolfur Arnar Stangeland Date: 07/31/2011
Credential Roaming and NTDS.dit bloat
Following up on a previous post about Credential Roaming (aka DIMS):...
Author: Ingolfur Arnar Stangeland Date: 06/14/2011
ADCS CA Server disaster recovery steps when smartcard logon is required but no valid CRL can be published
Consider the following disaster recovery scenario: The CA has become temporarily unavailable, the...
Author: Ingolfur Arnar Stangeland Date: 05/23/2011
Smartcard logon using certificates from a 3rd party on a Domain Controller and KDC Event ID 29
I was looking at the Windows Server 2008 R2 KDC architecture with my colleague Jan earlier today...
Author: Ingolfur Arnar Stangeland Date: 05/17/2011
Setting up ADFS 2.0 as an IDP for Visma Proceedo
I've put together a Word document with the details on how to set up a federation trust between Visma...
Author: Ingolfur Arnar Stangeland Date: 05/02/2011
The CA certificate that disappeared after the CMOS battery died
A colleague on our PKI Server alias got the following question from a partner:Our newly installed...
Author: Ingolfur Arnar Stangeland Date: 05/02/2011
Why is autoenrollment only happening if initiated manually through the MMC?
We resolved the following case recently: On our W2k8 R2 Domain Controllers, autoenrollment is not...
Author: Ingolfur Arnar Stangeland Date: 04/13/2011
Need to implement a test CA from scratch?
In that case, check out the Test Lab Guide: Base Configuration...
Author: Ingolfur Arnar Stangeland Date: 04/07/2011
Why can't I see any certificate templates when creating a certificate request within the IIS 7.x MMC?
My colleague Jan had the following case recently:Customer verbatim:We've created a custom web server...
Author: Ingolfur Arnar Stangeland Date: 04/06/2011
Why can't I see my local smartcard readers when I connect via RDP?
The way smartcard redirection works is that there is a code snipped in Winscard.dll that is only...
Author: Ingolfur Arnar Stangeland Date: 03/27/2011
Smartcard Redirection Diaries
Last month we finally closed two bugs that I've been engaged in on and off for well over a year and...
Author: Ingolfur Arnar Stangeland Date: 03/24/2011
OCSP error when verifying with Enterprise PKI MMC (PKIVEW)
If you see a red ‘X’ in the Enterprise PKI MMC when verifying the status of the OCSP Responder you...
Author: Ingolfur Arnar Stangeland Date: 02/03/2011
Automatic logon to RDS using Smartcards with multiple certificates (with or without TS Gateway)
Got the following escalation recently from a customer that was implementing TS Gateway and...
Author: Ingolfur Arnar Stangeland Date: 01/27/2011
DCDIAG and the Not-N'sync Home Server
A customer called in with questions about the following error she received in Dcdiag:I ran DCDIAG /V...
Author: Ingolfur Arnar Stangeland Date: 01/12/2011
Credential Providers simplified pt1
GINA is dead.... the main reason is the fact that having more than one GINA on a system was...
Author: Ingolfur Arnar Stangeland Date: 12/21/2010
The 4 basic principles of PKI Troubleshooting
First of all; PKI is easy once you understand the basic principles. Don't give up :)When...
Author: Ingolfur Arnar Stangeland Date: 11/09/2010
The problem with problems...
Let's say you're looking at a glaring Red event in your event log that has an ominous ring to it or...
Author: Ingolfur Arnar Stangeland Date: 10/12/2010
ISA/TMG team in Sweden is hiring
Interested and qualified parties should check out...
Author: Ingolfur Arnar Stangeland Date: 09/20/2010
CAPI2 Event ID 11 errors on machines that don't have access to the Internet
See also http://blogs.technet.com/b/instan/archive/2011/09/27/capi2-event-id-11-retake.aspx for...
Author: Ingolfur Arnar Stangeland Date: 08/12/2010
Remote EFS decryption and Trusted for Delegation requirements
One of our customers reported the following: We have been evaluating EFS on Windows 7 as part of our...
Author: Ingolfur Arnar Stangeland Date: 08/11/2010
How FIM2010 CM & CLM 2007 search for users
User with FIM2010/CLM/ILM management permissions logs on to the CM website, accesses one of the...
Author: Ingolfur Arnar Stangeland Date: 07/29/2010
Can't find script engine "VBScript" for script after installing MS10-020
Summer is here and support volumes trickle down to a minimum as people jump into their SUV's and...
Author: Ingolfur Arnar Stangeland Date: 07/20/2010
Everything you wanted to know about Extended Validation but were afraid to ask
Well, maybe not quite... but hopefully it helps explain the concept better. SSL is not the trusted...
Author: Ingolfur Arnar Stangeland Date: 07/12/2010
The importance of being up to date
One of the best tips my mentor gave me when I started at Microsoft 7 years ago was the following:My...
Author: Ingolfur Arnar Stangeland Date: 07/07/2010
The case of the mysterious 10 minute logon delay
While looking at other things in Windows 7 I noticed that the Winlogon Notification timeout has been...
Author: Ingolfur Arnar Stangeland Date: 07/06/2010
UseSubjectAltName and smartcard logon
On Windows 7 clients, if a smartcard certificate contains a Subject Alternate Name (SAN) it will by...
Author: Ingolfur Arnar Stangeland Date: 06/16/2010
Exchange Powershell get-user cmdlet only recognizes certificates using the X500 format
The Windows OS supports 7 different types of entries in the Subject Alternate Names extension of...
Author: Ingolfur Arnar Stangeland Date: 05/31/2010
Event 6398 and Forefront Server Security
Customers may get this issue from time to time on every Sharepoint WFE server except one whenever...
Author: Ingolfur Arnar Stangeland Date: 05/31/2010
AD Recycle Bin and the conspicuously cloned user accounts conundrum
AD Users & Computers has a relatively unknown functionality that is exposed when you create a...
Author: Ingolfur Arnar Stangeland Date: 05/10/2010
The Smartcard Removal Policy Service and VPN
The ScPolicySvc service works by monitoring a specific registry key (See Deconstructing the...
Author: Ingolfur Arnar Stangeland Date: 05/04/2010
W2k3 R2 Adprep and isDefunct
Same as later versions of ADPRep.exe, the version of Adprep that comes with Windows Server 2003 R2...
Author: Ingolfur Arnar Stangeland Date: 04/30/2010
The disappearing IAS certificate mystery
When PEAP is being set up on an IAS server, IAS asks for a certificate that it can use for setting...
Author: Ingolfur Arnar Stangeland Date: 04/19/2010
The caveats of using Group Policy Preferences on Terminal Servers
Note: this entry is about the Group Policy Preferences component and one aspect of it (which is...
Author: Ingolfur Arnar Stangeland Date: 04/15/2010
FIM 2010 and the effects of inheriting problems from your parent (OS)
From Angelo; a simple solution to a difficult problem that occurs when FIM falls victim to external...
Author: Ingolfur Arnar Stangeland Date: 04/01/2010
Deconstructing the Smartcard Removal Policy Service
Windows Vista and Windows Server 2008 introduced a new service that is dedicated to monitoring the...
Author: Ingolfur Arnar Stangeland Date: 03/08/2010
Windows 7 attempts to make LDAP queries to root domain during enrollment operations
In a case I worked recently, we discovered a side-effect of the new cross-forest enrollment...
Author: Ingolfur Arnar Stangeland Date: 02/24/2010