Have been struggling with an issue where "Constrained Delegation" is enabled for an application and it is doing multiple "Hops" from the application and eventually making it to a SQL Server. During the hops, an SPN is correctly presenting the Users TGT Hash as requested but then for some reason the TGT hash changes from an SPN to just … Continue reading "Kerberos Constrained Delegation, Double-Hops and Protocol Transition"
Microsoft has now officially deprecated FRS for Active Directory's use of it for SysVol replication. That doesn't mean it still isn't supported and it isn't going away anytime soon but it has been reported that the next major release will be the last to support FRS replication and that o/s will probably be shipped sometime … Continue reading "NTFRS Depricated with Windows Server 2012"
With the advent of Windows Server 2012 R2, Microsoft has worked diligently to provide support for virtualization and allow corporations to reduce costs by virtualizing as much hardware as possible. New features in 2012 R2 help prevent USN rollback and/or Lingering objects via the new VM-Generation ID. If a guest o/s is restored from a snapshot … Continue reading "Can I Virtualize ALL My DC’s In the Domain?"
Great news the Directory Services team has released ADMT for Server 2012/2012 R2. http://www.microsoft.com/en-us/download/details.aspx?id=19188
Recently I was given a server in a rush situation to promote a new DC. When I attempted to add the DC role the following error popped up "Update DirectoryServices-DomainController of package DirectoryServices-DomainController-Package failed to be turned on. Status: 0x80070bc9."
I ran across an issue the other day that had me scratching my head and calling PSS to try and track down the problem. For some reason we had members of a security group that were inconsistently being denied access to RDP to our SQL servers. There is a special group the SQL DB's belonged … Continue reading "Inconsistent Membership of a Security Group"
If you have ever run dcDiag and ended up with the error output as follows
So I have been banging my head against a wall trying to figure out why I have been getting these crazy errors in dcDiag. From all that I can tell replication is working as expected but yet I am getting errors that are mostly undocumented and difficult to find out any real information on. Starting … Continue reading "Unexplained dcDiag Errors"
To prevent having to restore objects from Active Directory due to accidentally deleting an object, you can have a remote DC which only sends/receives replication on a limited basis. You also want to prevent users from authenticating against, as well as services being used by other machines, since the metadata on this DC is aging … Continue reading "How to Build an AD Replication Delay (Lag) Site"
— (Note: This is a copy from another site and at this time my snapshots are missing)— Microsoft’s Preupgrade check list Before upgrading AD verify all current applications are compatible Verify you are on the correct version for 2008 For example, does your SAN at its current release support 2008 Does the version of Exchange you … Continue reading "Upgrading AD from 2003 to 2008"