Skip to Content

Category Archives: 1063


The video of my presentation at TechEd North America 2014 is now available

Written on August 25, 2014 at 12:08 PM, by

Microsoft has posted the 80-minute video of PCIT-B341 Upgrading Active Directory the Safe Way: Using Virtualization Technologies, the session Mike Resseler and I presented on Friday May 15, 2014 at Microsoft TechEd North America 2014. You can watch this session free of charge over on Channel 9, regardless of whether you’ve attended TechEd North America […]

Security Thoughts: Leveraging NTLM Hashes using Kerberos RC4-HMAC encryption (AKA Aorato’s Active Directory Vulnerability)

Written on July 15, 2014 at 8:37 PM, by

In a blogpost today, Tal Be’ery, Vice President Research at Aorato, an Israeli security company consisting of veterans of the Israeli Defense Forces specializing in Active Directory, published how weak encryption enables an attacker to change a victim’s password without being logged. Labeled as a vulnerability in Active Directory, this information sparked some controversy, so […]

KnowledgeBase: A Windows 8-based client computer or Windows Server 2012-based member server does not use the BitLocker Network Unlock feature

Written on December 16, 2013 at 1:15 PM, by

Last month, Microsoft released a KnowledgeBase article regarding BitLocker Network Unlock. Basically, Windows 8-based and Windows Server 2012-based client computers sometimes may not receive or use the Network Unlock Protector feature, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server.

KnowledgeBase: Lost secure channel takes a long time to be reestablished when RPC Endpoint Mapper is secured on Windows Server 2012 Domain Controllers

Written on December 16, 2013 at 9:48 AM, by

Microsoft has released a KnowledgeBase article, in which they describe an issue you might encounter in a multi-domain environment, resulting in a loss of the secure channel between the domains and a long time for the secure channel to become reestablished.

I will be hosting Veeam Webinars on Host-based Backup and Restore for Virtualized Active Directory Domain Controllers

Written on November 27, 2013 at 1:45 PM, by

On December 18, 2013, I will be hosting two webinars on backing up and restoring virtualized Active Directory Domain Controllers with Veeam’s Backup & Replication (B&R) v7. The session at 10 AM CET will be delivered in Dutch. The session at   1 PM CET will be delivered in English.

KnowledgeBase: Kerberos authentication fails when the computer tries to request a service ticket from a Windows Server 2012-based Domain Controller

Written on October 28, 2013 at 7:28 AM, by

Earlier this month, Microsoft released KnowledgeBase Article 2877460, describing an issue where Kerberos authentication to an Active Directory-integrated service may fail, despite proper implementation and time synchronization, with an error describing time differences between the Primary Domain Controller (PDC) and a Backup Domain Controller (BDC).

KnowledgeBase: Smart card logon option is displayed incorrectly on the logon screen in Windows 8 or Windows Server 2012

Written on October 22, 2013 at 6:29 AM, by

Last week, Microsoft published a new KnowledgeBase article detailing two issues with the way (virtual) Smart Card login is displayed on the Windows 8 and Windows Server 2012 logon screen. The article contains a hotfix to address the issues.

KnowledgeBase: Group Policy Management Console (GPMC) reports a Processing Error while trying to detect Domain Controllers

Written on October 17, 2013 at 7:19 AM, by

Earlier this month, Microsoft released KnowledgeBase article 2891966. In this article, Microsoft engineers describe an issue when you open the Group Policy Management Console (gpmc.msc) and check the status of Active Directory and SYSVOL (DFSR) replication for the domain as it relates to Group Policy.

KnowledgeBase: Update adds support for Windows 8.1 and Windows Server 2012 R2 clients to Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 KMS hosts

Written on October 9, 2013 at 8:30 PM, by

I’ve written before on Active Directory-based Activation. This new activation method allows domain-joined Windows 8 clients, Windows 8.1 clients, Windows Server 2012 and Windows Server 2012 R2-based member servers to be activated and deactivated automatically based on their domain membership. I’m very fond of this feature. However, for many enterprise organizations, Active Directory-based Activation is […]

Active Directory in Hyper-V environments, Part 10

Written on October 8, 2013 at 5:39 AM, by

As you would probably know, as a regular reader of this blog, Active Directory Domain Services performs a storage trick to prevent corruption in the Active Directory database. It does this by disabling write-back caching on the physical spindle where the Active Directory database resides. This way, the Domain Controller asks the storage device to […]