AD Troubleshooting
AD and Domain-related issues and troubleshooting methods for Active Directory.
Enforce Smartcard on Access Check in Windows 2008 R2
A feature request I’ve seen customers frequently make is the ability to secure resources based...
Author: Ingolfur Arnar Stangeland Date: 01/15/2010
Windows 2020?
It's hard to believe we've had 10 years of Windows....however, with the Internet/IT year being 3...
Author: Ingolfur Arnar Stangeland Date: 12/30/2009
Optimizing DFS Referrals: SiteCostedReferrals and PreferLogonDC
In a multi-site infrastructure you would under most circumstances want to make sure that the client...
Author: Ingolfur Arnar Stangeland Date: 12/21/2009
The story of the Mysteriously Malfunctioning Mail Router (AKA EDNS and Exchange Escapedes)
A small anecdote to illustrate how external changes outside of the control of the local...
Author: Ingolfur Arnar Stangeland Date: 12/11/2009
Fun with LDIFDE and MS09-056
The LDIFDE export tool that has shipped with all flavors of Windows since Windows 2000 is one of the...
Author: Ingolfur Arnar Stangeland Date: 12/08/2009
Troubleshooting autoenrollment
From my colleague Maria in the Domains team – a collection of useful bits for troubleshooting...
Author: Ingolfur Arnar Stangeland Date: 12/07/2009
Troubleshooting AD with Network Monitoring tools
In general, if you have an AD-related issue the following logs are useful: Event logs from the...
Author: Ingolfur Arnar Stangeland Date: 11/30/2009
Changes in default encryption type for Kerberos pre-authentication on Vista and Windows 7 clients cause security audit events 675 and 680 on Windows Server 2003 DC's
I had a case recently with the following case description: We‘re auditing AD security events...
Author: Ingolfur Arnar Stangeland Date: 10/12/2009
The case of the mysterious account lockout coming from Exchange
I worked the following case recently:We have a single user that keeps getting his account locked out...
Author: Ingolfur Arnar Stangeland Date: 09/08/2009
Why living in the future is bad when you're a CA server (aka the story of 0x800b0101 CERT_E_EXPIRED)
I worked on the following case recently: We can't seem to enroll for certificates from our Windows...
Author: Ingolfur Arnar Stangeland Date: 09/02/2009
Troubleshooting account lockout the PSS way
I‘ve been thinking for some time about pulling together the typical approaches we use when...
Author: Ingolfur Arnar Stangeland Date: 09/01/2009
Using Ultrasound for troubleshooting FRS
The Ultrasound tool is excellent for monitoring your FRS servers, it is however rarely something...
Author: Ingolfur Arnar Stangeland Date: 08/17/2009
Problems with introducing a new Windows Server 2008 DC into a Windows 2003 forest
The following case came in recently: I’ve added a new W2k8 DC to our domain, it seemed to replicate...
Author: Ingolfur Arnar Stangeland Date: 07/30/2009
EFS and Windows 2008 file servers
An interesting EFS case cropped up the other day, the problem description was this: We have just...
Author: Ingolfur Arnar Stangeland Date: 07/16/2009
How to make things better by making them worse
Does that sound right? Of course it doesn't...but in some cases that's just what troubleshooting is...
Author: Ingolfur Arnar Stangeland Date: 07/15/2009
What happens in a Journal Wrap?
FRS is a multi-master replication system that takes care of replicating the contents of Sysvol...
Author: Ingolfur Arnar Stangeland Date: 07/14/2009
What are Userenv 1030 and 1058 events?
These are very generic client events and are logged whenever the system fails to apply Group Policy...
Author: Ingolfur Arnar Stangeland Date: 07/13/2009
Trusts and isolated names and logon performance
While bouncing around ideas with colleagues more intelligent than me I was reminded of a case I had...
Author: Ingolfur Arnar Stangeland Date: 07/07/2009
RODC’s and Port Exhaustion
The problem of port exhaustion usually doesn’t affect DC’s to the same extent as it affects clients...
Author: Ingolfur Arnar Stangeland Date: 07/06/2009
Caveats for using RemoteApp and Roaming Profiles
A colleague had the following case the other week: We seem to be randomly losing settings like...
Author: Ingolfur Arnar Stangeland Date: 06/29/2009
New features in Windows 7
My 3 favorites:- Virtual Windows XP AKA 'XP Mode' (not all SKU's) This is basically a small Virtual...
Author: Ingolfur Arnar Stangeland Date: 06/23/2009
The golden rules of user resource management
If you make unlimited storage space available to users, your users will use unlimited storage...
Author: Ingolfur Arnar Stangeland Date: 06/22/2009
New AD features in Windows Server 2008 R2
My three favorites are:Cross-forest certificate autoenrollmentMakes it possible to share a CA server...
Author: Ingolfur Arnar Stangeland Date: 06/05/2009
NDES and certificate renewal with a Windows Server 2003 Back-end CA
With Windows Server 2003 MSCEP, you can enable your network devices to enroll for certificates....
Author: Ingolfur Arnar Stangeland Date: 06/04/2009
Installing DPM Agent on target server fails:
When the DPM agent is installed on a machine that is to be protected by DPM, the admin doing the...
Author: Ingolfur Arnar Stangeland Date: 06/02/2009
Considerations for implementing Credential Roaming
Credential Roaming is the replacement or alternative to using Roaming Profiles (or RUP - Roaming...
Author: Ingolfur Arnar Stangeland Date: 05/26/2009
Government issued ID cards and smartcard logons
I was recently involved in a support case concerning implementing government-issued ID cards...
Author: Ingolfur Arnar Stangeland Date: 04/24/2009
Troubleshooting RODC's: Troubleshooting RODC location in the DMZ
Consider the following scenario: A NAP solution with a remediation zone (aka noncompliant network)...
Author: Ingolfur Arnar Stangeland Date: 03/24/2009
CLM error: the directory property cannot be found in the cache
screenshot clmerror.jpg
Author: Ingolfur Arnar Stangeland Date: 03/10/2009
Troubleshooting CLM: The directory property cannot be found in the cache
After installing CLM 2007 in your domain, you may see the following error within the CLM enrollment...
Author: Ingolfur Arnar Stangeland Date: 03/09/2009
How to install CLM 2007 on Windows Server 2008
- Get the updated CLM installation files (See issue 5 in KB946797)- The specific CLM FP1 build...
Author: Ingolfur Arnar Stangeland Date: 03/04/2009
QFE vs GDR/LDR hotfixes
I sometimes get the following question from customers: I’ve located KB ABC which is an exact...
Author: Ingolfur Arnar Stangeland Date: 03/04/2009
GDR vs QFE/LDR
The QFE/GDR process QFEGDR.jpg
Author: Ingolfur Arnar Stangeland Date: 03/04/2009
Why should I restore System State rather than troubleshoot?
Some thoughts concerning why the quickest way to troubleshoot AD can be to simply restore the last...
Author: Ingolfur Arnar Stangeland Date: 02/25/2009
Using a custom template for Subordinate CA's
Problem: You have an Enterprise Root CA installed and want your SubCA to have a lifetime of 10 years...
Author: Ingolfur Arnar Stangeland Date: 01/14/2009
Converting AD attributes using FILETIME to a meaningful value
If you've ever looked at the raw attributes of an Active Directory object, you've no doubt noticed...
Author: Ingolfur Arnar Stangeland Date: 01/14/2009
The Windows Filtering Platform has blocked a bind to a local port
You may notice event 5159 being logged on your Windows 2008 Server(s) indicating a connection has...
Author: Ingolfur Arnar Stangeland Date: 01/08/2009
Schannel 36872 or Schannel 36870 on a Domain Controller
This event (and its cousin Schannel 36870) can indicate that there is a problem with the server...
Author: Ingolfur Arnar Stangeland Date: 01/05/2009
Configuring a Windows Server 2008 front-end web enrollment server for delegation
After you install the web enrollment pages on an external IIS7 web server, 2 additional steps are...
Author: Ingolfur Arnar Stangeland Date: 12/09/2008
Requiring Smart Cards for logon - what happens when CRL publication fails
Let's say your organization wants to make smartcards mandatory for all users as part of a security...
Author: Ingolfur Arnar Stangeland Date: 12/08/2008
Dude, where's my Forest Root?
Let's look at a hypothetical worst-case scenario:ü Your AD infrastructure contains one root...
Author: Ingolfur Arnar Stangeland Date: 11/07/2008
Windows
Windows Logo logo_windows.gif
Author: Ingolfur Arnar Stangeland Date: 10/21/2008
Time travel and factors that increase client startup or login time
This entry is written concerning the following issue; How applications and services can add to the...
Author: Ingolfur Arnar Stangeland Date: 10/21/2008
What happens when a group is deleted
A Critsit from a large enterprise customer came in the other day, problem description was as...
Author: Ingolfur Arnar Stangeland Date: 09/29/2008
Netlogon 5719 and the Disappearing Domain [Controller]
Netlogon is a client and a server component; when it logs 5719 it is acting as a client and trying...
Author: Ingolfur Arnar Stangeland Date: 09/18/2008
What is logged to the Userenv.log file?
Winlogon is the main component that logs data to the Userenv.log file (through userenv.dll).If...
Author: Ingolfur Arnar Stangeland Date: 09/17/2008
Troubleshooting RODC's: Troubleshooting domain joins against RODC's
So, the first question…do you need to deploy the RODC compatibility pack on your XP/2003...
Author: Ingolfur Arnar Stangeland Date: 08/13/2008
Naming schemes to avoid in AD
At some point, you'll find yourself in the situation where you need to decide on a naming scheme for...
Author: Ingolfur Arnar Stangeland Date: 07/03/2008
Troubleshooting AD Replication
Replication is another common AD trobleshooting scenario. AD replication issues usually turn out to...
Author: Ingolfur Arnar Stangeland Date: 05/05/2008
OS Security settings that affect CLM
This is a collection of non-CLM specific permissions and user rights which affect the operation of...
Author: Ingolfur Arnar Stangeland Date: 04/22/2008