The following script lists all users in the local administrators group for all windows servers in the domain
Continue reading…
AD
Client Connects to Random Domain Controller (Logonserver)
The solution is only relevant if you have a mixed 2003 and 2008 or 2012 and higher environment and it is because of the different default value for SiteCostedReferrals.
Continue reading…
What is Subnet Netmask Ordering
Four things define whether a client talks to a remote DC 1.AD sites (if there is no DC in the site it will select randomly) 2.Costed sites. if you no not cost the sites correctly then you will have issues as they all cost the same so it does not care 3.If the subnet in […]
Continue reading…
Microsoft Best Practice Infrastructure Planning and Design Guide Series
I am surprised a lot of people do no know these guides exist http://technet.microsoft.com/en-nz/solutionaccelerators/ee382254.aspx If you want to know how to configure your Active Directory environment and other Microsoft products , look at these first Some of it is a bit out of date: For Exchange 2013 – If you want to know how to […]
Continue reading…
Event ID: 4 The Kerberos client received a KRB_AP_ERR_MODIFIED Windows 2003 and Windows 2012 R2 DC Environment
Good timing for me, bad timing for those that already have 2012 R2 DCs in their domain. Event ID: 4 The Kerberos client received a KRB_AP_ERR_MODIFIED There is a bug in Kerberos When a Windows 2012 R2 DC is promoted in an environment where Windows 2003 DCs are present, there is a mismatch in the […]
Continue reading…
Windows 2003 AD Migration to 2012 R2 AD Checklist
Overview The following is a checklist I am compiling as I go through an upgrade of a Single Forest/Single domain AD environment. To give you an idea of scale: 4,500 clients, 500 servers and 5 AD Sites My upgrade is in 4 steps: Upgrade schema Test new 2012 R2 DCs Replace all 2003 DCs Upgrade functional Level […]
Continue reading…
How do I find accounts that use DES encryption in Windows 2003 AD
As part of a Windows 2003 upgrade, one of the checks you need to do is for accounts that have been forced to use DES encryption Why? Because Windows 2008 and higher has DES disabled by default, so these accounts will not work. Here is a Powershell script that runs through your AD and finds […]
Continue reading…