Recently I was asked by a client to produce a list of firewall ports that are used by Active Directory Domain Services (AD DS), specifically those for domain controllers. This is what I came up with: TCP and UDP 389 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP TCP 636 Directory, Replication, User … Continue reading Domain Controller Ports
I was bulk-creating users for a test environment today, and in doing so, I borrowed a script from an article online, which set the password for all users to 'Pa$$word' I usually use a variation on the same for test environments, but I opted to leave this one as it was. The script worked. A … Continue reading A PowerShell Gotcha
I have been saying for years that a good IT department in a secure, well-managed infrastructure will give their end users the tools they need to do their job… and nothing more.If that is true for end users, shouldn’t it also be true for the IT department themselves? It is frustrating to see the number … Continue reading Delegating Control in Active Directory
I came to this realization last year, but I don't think I wrote about it. When monitoring domain controllers, specifically domain controllers running on Windows Server 2016, and specifically with System Center Operations Manager 2016 (and later, I assume) have a bit of an issue when you deploy the SCOM Agent to the server. It deploys, … Continue reading Domain Controller Health Service Lockdown Issue with SCOM 2016
A few years ago, Microsoft introduced the Active Directory Recycle Bin to Windows Server. Wonderful! It is not enabled out of the box, but it is reasonably simple to enable... except, it is not. Firstly, you can do it in the GUI... Open the Active Directory Administrative Center, navigate to local (local), and then in the … Continue reading Active Directory Recycle Bin
I needed to build a new domain controller for a friend’s company recently. It is something that I have done so many times over the past two decades that some things are just instinctive… like typing dcpromo to create a domain controller. Right… I had forgotten about that. dcpromo has been deprecated. You could go … Continue reading DCPromo No More… PowerShell!
For the past several years nearly every client of mine (that I have consulted on Active Directory) has been introduced to the Microsoft Security Compliance Manager (SCM), a great tool that helped create Group Policy Objects (GPOs) for any number of Organizational Units (OUs), including Default Domain Policy, Domain Controller Policy, Client Workstation Policy, and … Continue reading SCM is gone… Say Hi to SCT.
Yeah yeah, I know… A little while ago I talked about how to determine the Distinguished Name (DN) of an Active Directory Object, and I got a flurry of requests for doing it with PowerShell. Now, normally I do like to show you how to do things via the GUI, and then what the PowerShell … Continue reading Distinguished Names: How do I…
Several years ago Steve Syfuhs and I sat down and figured out how to create a new Active Directory forest in Windows Server Core. It was an interesting experience, and even though I later gave rights to that article to the Canadian IT Pro Team (at the time it was Damir Bersinic) when you search … Continue reading Creating a New AD Forest in Windows Server Core (Revisited)
Like all of you I never expect a day that starts with a call to IT Helpdesk to go well. Fortunately this story has a happy ending. This morning I got to my desk and discovered that my laptop corrupted somehow last night. No problem – Windows 8 has some great self-healing tools built in, … Continue reading BitLocker Recovery
This post was originally written for the Canadian IT Pro Connection. There are three concepts in Microsoft licensing that people often mistake for a single entity, when in fact the three are connected but very separate. They are: Licensing Activation Product Keys Because the three are so tied together it is easy to get yourself … Continue reading Activation Headaches: Here is your aspirin!
Earlier this year I published an article in which I told you that it was okay to virtualize your domain controllers; however in the piece I opposed the idea of doing a P2V (physical to virtual) migration of them, or to upgrade them from one version of the OS to another. This weekend I followed … Continue reading Following My Own Advice: New DCs at SWMI
I am asked all the time what the best practices are for domain controllers in a virtualized environment. There are several that I will call out, but let’s begin with the simplest rule. You should never have ONE domain controller. This rule is not only true in virtualized environments, it is always true. If you … Continue reading Virtualizing your Domain Controllers