The things that are better left unspoken

Common Challenges when Managing Active Directory Domain Services, Part 2: Unnecessary Complexity and Token Bloat

Sander Berkouwer — Wed, 22 May 2013 12:01:50 GMT

A lot of organizations run Active Directory Domain Services as their Identity and Access Management (IAM) solutions. Their Domain Controllers unlock access to the simplified view on the organization’s processes, structure and systems, so people can perform the jobs they were hired to do.

Now, not every organization acknowledges the importance of an up to date and lean Active Directory environment. In this series, I will show you four of the key challenges involved with managing Active Directory for any organization and how to solve them. This series will focus most on the data inside the Active Directory database, instead of the actual technical implementation of Domain Controllers and such. My first post in this series addressed stale objects and their security risks.

The challenge

Today, we’ll dive deeper into unnecessary complexity within the Active Directory database on your Domain Controllers. When I talk about unnecessary complexity, I’m mostly referring to a group structure in Active Directory where groups, organizational units (OUs) and access control lists (ACLs) were once used to mimic the structure of the organization and its systems, but where this structure has been circumvented, misunderstood and/or neglected, resulting in duplicate group memberships and improper nesting.

This type of misconfiguration leads to:

Inability to audit (see who has access where, why and since when)
More time needed to resolve common issues like granting or revoking access
More time needed to get acquainted with the environment for new admins
Deviance of Microsoft’s best practices, resulting in a higher risk of data and productivity loss
Token bloat

Of these consequences, token bloat is the most serious.

Token bloat

Active Directory uses Kerberos v5 as one of its authentication protocols, based on RFC 1510. As part of the Kerberos authentication process, a Kerberos token is generated. This access token is created for the user containing all security groups to which they belong. These memberships will be enumerated. The group memberships are used for authorization purposes.

The amount of groups a user belongs to and sIDHistory determine the size of the access token. Since this token has to be transferred over the network and cached in memory, size matters. A smaller access token results in faster logon times and improved system responsiveness. Large access tokens will result in unreliable logon experiences.

As Microsoft has set a maximum to the size of the access token, eventually, users with many group memberships will be unable to log on. The MaxTokenSize is set to 8,00 bytes in Windows 2000 Server pre-SP2 and 12,000 bytes in Windows 2000 Server SP2+, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008 and Windows Server 2008 R2, by default. In Windows Server 2012, the default value is set to 48,000 bytes to accommodate for Dynamic Access Control.

(Part of) The solution

In the case of unnecessary complexity, Active Directory should be cleaned up. However, it’s idealistic to think you and your organization can start over, design a new view of your organization and be done with it.

Optimizing communication

First of all, the root of the problem is not the unnecessary complexity, but the way this complexity was (unnecessarily) introduced by admins who were not clear with the procedures to manage objects, grant access and revoke access. Another cause might be an overhaul of the business without Active Directory ever getting remodeled to the new situation.

Before you can go and perform a meaningful and long lasting spring cleanup of the data in Active Directory, you will need to have a plan of what the information in Active Directory should look like and how to keep the information up to date. This should be captured in a design and corresponding policies with accompanying management procedures and auditing.

Tip!
Needless to say, this design, the policies and procedures should be kept up to date and thus reviewed regularly.

Mitigating factors

If you’re running into Token Bloat situations, you can opt to increase the MaxTokenSize, on all your servers and workstations, but this will only fix this problem in the short run. Communication, processes and cleanup will fix your environment in the long run. It might, however, be helpful to perform the following actions:

Upgrade or migrate Domain Controllers running versions of Windows Server before Windows Server 2012. The improved Resource SID Compression feature in Windows Server 2012 helps reduce the size of the access token.
Clear sIDHistory. sIDHistory is a method of retaining old SIDs and thus group memberships for access in Active Directory migration scenarios. As a result, when a user with sIDHistory logs on, the access token will contain both the information for the new Active Directory environment and the old environment.
Limit the number of users that are configured to use trusted for delegation. For accounts that are configured to use "trusted for delegation" the buffer requirements for each SID may double.

Cleanup

With the policy in hand, you can now dig into your Active Directory and clean things up. Naming conventions for groups and accounts can be executed upon and kinks in group memberships can be ironed out.

A couple of solutions exist today to help you with Active Directory inventory and cleanup.

When it comes to group inventory, and especially the effective rights on a NTFS folder gained by group membership, the amount of available tools diminishes fast. STEALTHbits offers a free StealthAUDIT Active Directory Assessment aiming at the above issues, able to report on:

Circular, improper and deep nesting
In Microsoft’s best practices for Active Directory, the AGULP (Account, Global Groups, Universal Groups, Local Groups, Permissions ) principle is used to nest groups into groups. However, when fully anticipating for all Active Directory use cases, token bloat is easily encountered.
Empty groups
A group without members might indicate an unnecessary group.
Direct and effective duplicate group membership
Groups with direct of effective duplicate membership are prime targets to be consolidated. One or more groups can be consolidated based on the outcome to minimize token size and to minimize the possibility of admin adding a group or user to the wrong group.
Stale groups
When a group has a large percentage of members that have been inactive for a period of time, the group may be stale and thus ready for consolidation.
Groups without a description or manager
Documentation within Active Directory to indicate the use of a group is stronger than documentation in an (offline) manual or procedure. Descriptions can be used to identify the right group membership for the right purpose. The Managed by attribute has many uses, both inside and outside Active Directory.
Groups with a large percentage of users
Active Directory comes with built-in groups. These groups can be used to govern access within the environment. Groups with a large percentage of users might indicate the group might better be replaced with one of the built-in groups, like Authenticated Users.

The graphical output looks like this:
(only a portion of the Toxic Group Conditions report is shown below)

Unfortunately, the free StealthAUDIT Active Directory Assessment does not offer the much coveted effective rights report, showing who has access where (on File Servers, in Exchange) based on Active Directory group memberships and Dynamic Access Control. When you want this functionality, StealthAUDIT Data & Access Governance is the suite you might want. The free StealthAUDIT Active Directory Assessment, however, will give you a fair preview of what you might expect from the full platform.

An alternative solution

As an alternative to using group memberships as your access management strategy, you might opt to implement Dynamic Access Control (DAC). This new feature in Active Directory Domain Services in Windows Server 2012 offers a way to manage access to files and folders, based on attributes in Active Directory (fields like location, manager and department) and (optionally) file classification. No longer will you need to create thousands of groups to build a granular access solution. As a bonus, you can create far more robust access rules.

In contrast to group memberships, in Dynamic Access Control scenarios, access is granted based on attribute values. These attribute values result in claims. These claims are then used for authorization purposes, where filtering is done based on the combination of claims.

To migrate to an environment where authorization is based on claims instead of group memberships, the two authorization methods, most likely, need to coexist for a while. To remediate Token Bloat in this situation, increasing the MaxTokenSize throughout your environment is a good temporary fix.

Concluding

Only after you’ve created a policy and processes within the organization will you, your admins and your auditors, be able to model your Active Directory environment to your organization and enjoy easy Identity and Access Management…

Related blogposts

Common Challenges when Managing Active Directory Domain Services, Part 1: Security
New features in AD DS in Windows Server 2012, Part 20: Dynamic Access Control (DAC)
New features in AD DS in Windows Server 2012, Part 21: Resource SID Compression
How to search for groups of different type and scope
Groups and tokens

I’ll be staffing at TechEd North America 2013

Sander Berkouwer — Tue, 21 May 2013 20:39:23 GMT

A while ago, I received a mail from TechEd. In it, the TechEd North America Staff Communications team congratulated me with being selected to participate as product subject matter expert, learning guide or ambassador at TechEd North America 2013!

For last year’s TechEd North America in Orlando, I also was selected for this role and could be found at the booth labeled Active Directory / Dynamic Access Control for most of the opening hours of the TechExpo.

This year, the booth is relabeled to Access and Information Protection.

I will be there for most of the opening hours of the TechExpo, not just the hours I’m scheduled to be there. The reason for what sounds like sheer dedication (ahum) is pretty logical, though. Staffing the booth of your main interest at an event like TechEd is one of the most rewarding activities for the loads of feedback on both the technology and this blog, interaction with Microsoft PMs and the endless ability to practice answering questions like “What’s Dynamic Access Control?” quickly. These activities allow me to build inspiring, up to date and relevant presentations and demos.

I’ll be at the Access and Information Protection booth at:

Monday, June 3 12:00 PM – 2:00 PM
Tuesday, June 4 12:15 PM – 2:30 PM
Thursday, June 6, 10:45 PM – 12:45 PM

Also, you can find me at the Ask The Experts evening event on Tuesday, June 4 6:30 PM – 8:30 PM. This event is designed to give TechEd attendees the opportunity to interact directly with product group members and other experts in a more informal setting. The goal of the evening is to allow for a free flow of questions and answers between attendees and speakers and other experts.

When you’re also attending TechEd North America 2013, drop by the booth and come say “Hi!”.

Common Challenges when Managing Active Directory Domain Services, Part 1: Security

Sander Berkouwer — Tue, 14 May 2013 07:28:49 GMT

In many organizations Active Directory Domain Services is the top tier in access management. Access to systems, information and connections, often, is governed by information in Active Directory. User objects and computer objects play a big role in this model, since they represent actual physical objects within the organization.

This series will focus most on the data inside the Active Directory database, instead of the actual technical implementation of Domain Controllers and such.

The challenge

Today, I want to talk to you about stale user objects and stale computer objects. From a security point of view, these objects represent a real security risk to your organization.

Stale user objects

Depending on the process surrounding creating user objects, these objects are usually created with a predefined password. This makes the tasks of creating an account and communicating the account to the actual colleague two separate tasks, that can be carried out by two different persons at two different times.

Alas, the delegation of work does not outweigh the security risk involved with tens, hundreds or even thousands of user objects that can be brute forced for their password , most of the time configured with a default password for new accounts (Welcome123 and P@ssw0rd come to mind). Tools like Zohno’s free Z-Hire, I discussed last year, have the explicit option to provide a default password (but not generating one) per template.

One of the other factors that don’t help in the situation with stale user objects is that account lockout settings are non-existent in default Active Directory implementations.

Stale computer objects

Stale computer objects are even worse than stale user objects from a security point of view. By default computer accounts have broader access to information in Active Directory and by default, the password for the security channel used to be a default derivation of the hostname as explained in Microsoft KnowledgeBase article 255042 on How to make machine accounts programmatically by using ADSI with Visual C++:

The initial password for the machine account must be set to the name of the computer in lower case.

Using net use from a non-domain joined computer using the computer account (the NetBIOS hostname) and the default password for the computer account, a malicious person might gain access to data in Active Directory, on file servers and in Exchange public folders, as explained by Marcus Murray in his Live demonstration about some of the ways hackers attack [PDF] on page 11.

Luckily, by default a domain-joined computer will change its computer password at a regular interval. This means, the security concerns surrounding stale computer objects only apply to the first week or month of the lifecycle of the computer object, depending on the Operating System of the domain-joined machine:

Windows 9x, Windows NT4, Windows 2000	7 days
Windows XP, Windows Vista, Windows 7, Windows 8	30 days

A more permanent solution to the problem was introduced with Windows 7 with Offline Domain Join. Not only does this Active Directory Domain Services-related feature offer the ability to join a computer to an Active Directory domain without a networking connection between a Domain Controller and the computer to be joined. Its communication streamlining also applies to every domain join, as I covered earlier in my blog post on the Top 5 Myths on Offline Domain Join.

(Part of) The solution

A lot of times, the root cause of stale objects in Active Directory is the lack of (procedures for the) interaction between an HR department (who known who were hired and fired), a facilities department (who knows where computers are located) and the IT department (who need to make these changes to keep Active Directory up to date).

Optimizing communication

Optimizing communication between the HR, facilities and IT departments should be your main focus when trying to solve the situations surrounding stale user objects and computer objects. A process-based approach would best suit tackling this.

Mitigating factors

Processes will save you in the long run, but as an Active Directory admin, there’s also a couple of things you can do right now. You can take action to prevent most of the security breaches, by:

configuring Account lockout policies in Active Directory
configuring new user objects with randomly generated complex passwords
migrating client computers to Windows 7 and/or Windows 8

Cleanup

With the long term covered with processes and the biggest security problems tackled, the only task left is the perform a cleanup in the Active Directory database.

You might want to get rid of:

Computer objects that have not been used to log onto in the last 30 days
User objects that have not been used to (interactively) log on ever
User objects that have not been used to (interactively) log on in the last 30 days.

Cleaning stale computer objects

To detect stale computer objects, Microsoft has released a script as part of Knowledgebase Article 197478 that, under the hood, uses nltest.exe to check the PasswordLastSet output. Several PowerShell scripts exist that check the PwdLastSet (script) or lastLogonTimestamp (script) attributes directly in the Active Directory database. Joe Richards’ command-line tool oldcmp.exe is one of the leanest tools available to tackle the problem, while many other 3rd party solutions offer the functionality as part of a more elaborate reporting solution.

Many of these Active Directory reporting solutions will set you back a fair amount of budget, but STEALTHbits’ free StealthAUDIT Active Directory Assessment will both report on stale objects in bar graphs and will output its findings in XML-based files, ready for your PowerShell scripts. Since StealthAUDIT uses its own Microsoft SQL Server database, the load on your Domain Controllers when being examined remains minimal.

When you use these tools, you might find a surprising list of computers that have been identified as stale, but purring away peacefully as part of every day operations… This situation can be caused by settings that disable computer account password resets. Always browse through the list with inactive computer objects, before accidentally deleting active computer objects.

Tip!
Protection from Accidental Deletion on individual computer objects might help preserving often targeted computer objects

Tip!
Before performing any cleanup actions, would be an excellent moment to enable the Active Directory Recycle Bin.

Cleaning stale user objects

Stale user objects can be targeted with much of the same 3rd party tools. Again, a load of scripts can be used to find (and remove) unnecessarily created user objects.

When running Windows Server 2012 and Windows Server 2008 R2-based Domain Controllers you can also use the Global Search functionality in Active Directory Administrative Center (dsac.exe). The Global Search option has a couple of helpful default criteria, that help you identify dangerous user objects. Below is a view on the criteria in the Windows Server 2012 Active Directory Administrative Center:

Obviously, the stale user objects that have the most potential to be used to wreck your environment would be:

enabled user objects
user objects without a password expiration date
user objects that have not been used to log on for more than 30 days.

Clicking on the Search button, would return a list with objects that need the attention of an Active Directory admin. Now, the list should not be considered as input to a script, since several reasons exist why user objects appear as stale, but still need to be retained:

User objects belonging to colleagues on maternity leave, sabbatical, etc.
User objects belonging to services that don’t log on interactively

From the list in the Active Directory Administrative Center you can easily pick the user objects you want to delete and disarming them by either right-clicking the selection and select Delete or Disable all from the context menu or pressing the Del button on your keyboard.

Concluding

Stale objects in Active Directory pose a significant security risk. You can address these risks by introducing processes to control the lifecycle of objects in Active Directory. Additionally, you can take actions to clean up your Active Directory.

Related blogposts

Tip: Zohno’s Z-Hire & Z-Term (freeware)
Top 5 Myths on Offline Domain Join

Active Directory Services and their System Center Management Packs

Sander Berkouwer — Mon, 13 May 2013 06:06:32 GMT

As you might be aware, every Microsoft technology has the requirement to be manageable through PowerShell and System Center. Manageability through System Center is done through Management Packs. (MPs).

While I discussed the PowerShell manageability stories for the five Active Directory services last Saturday, below is the overview of the availability and functionality of the Management Packs (MPs) for the five Active Directory services:

Active Directory Domain Services

For Windows Servers running the Active Directory Domain Services as Domain Controllers, a System Center Management Pack has been available for ages, even before the products responsible for management were labeled ‘System Center’ (System Center Operations Manager was called MOM Server and System Center Configuration Manager was called SMS Server).

The Active Directory Domain Services Management Pack for System Center provides both proactive and reactive monitoring of your Active Directory deployment. It monitors events that various Active Directory components and subsystems place in the Application, System, and Service event logs. It also monitors the overall health of the Active Directory system and provides alerts for critical performance issues.

When used with the Management Pack for the Windows Server Operating System, the DNS Server Role, File Services, Group Policy and DFS Replication, a complete management view starts to emerge, where you can monitor the health of your Domain Controllers.

The latest version (v6.0.8070.0) adds support for Windows Server 2012.

Download MP for AD Domain Services v6.0.8070.0

Also available is a System Center Integration Pack, that allows System Center 2012 - Orchestrator to connect to your Active Directory Server to automate Identity and Access management tasks.

Download System Center Integration Pack for Active Directory v7.0

Active Directory Lightweight Directory Services

The Active Directory Lightweight Directory Services (AD LDS) Management Pack provides both proactive and reactive monitoring of your AD LDS deployment running on Windows Server 2008 and Windows Server 2008 R2. It monitors events that are placed in the Application, System, and Service event logs by various Active Directory Lightweight Directory Services components and subsystems. It also monitors the overall health of the Active Directory Lightweight Directory Services system and alerts you to critical performance issues.

Download MP for AD Lightweight Directory Services v6.0.7220.0

Active Directory Certificate Services

The System Center Management Pack for Active Directory Certificate Services provides an early warning to administrators on issues that could affect services so they can investigate and take action, if necessary.

Two Management Packs for Active Directory Certificate Services are currently available. An ‘old’ Management Pack exists to manage Certification Authorities running on Windows Server 2008 and Windows Server 2008 R2. This Management Pack follows the 6.x version numbering. A completely new 7.x Management Pack is available alongside the 6.x version and enables management of Certification Authorities on Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012.

Note:
The Management Packs for Active Directory Certificate Services monitors the core Certification Authority, but does not monitor Certificate Services role services (such as the Online (OCSP) responder, Network Device Enrollment Services (NDES), Certificate enrollment web services, NDES, or CA web enrollment).

Download MP for AD Certificate Services v6.0.7231.0
Download MP for Windows Server 2012 AD Certificate Services v7.0.8560.0

Active Directory Federation Services

The System Center Management Pack for Active Directory Federation Services 1.x has been available since September 2007 and for Active Directory Federation Services 2.x since June 2010.

The Management Pack for Active Directory Federation Services offers the ability to detect service outages, operational errors and operational warnings. It also alerts on configuration issues and background tasks failures. Auditing can also be monitored, as well as the communication between the federation server and the federation server proxy. With the Management Pack you can be notified of malformed access requests and the health of the Secure Sockets Layer (SSL) certificate of the federation passive website in Internet Information Services (IIS).

Depending on the version of Active Directory Federation Services, you can choose between the 6.x version and the 7.x version of the Management Pack, where version 6.x can be used to monitor Active Directory Federation Services 1.0 and version 7.x can be used to monitor Active Directory Federation Services 2.0 (available as a separate download for Windows Server 2008 R2) and 2.1 (bundled with Windows Server 2012).

Download MP for Windows Server 2003 R2 AD Federation Services v6.0.5000.0
Download MP for AD Federation Services 2.0 and 2.1 v7.0.8560.0

Active Directory Rights Management Services

The System Center Management Pack for Active Directory Rights Management Services (AD RMS) has been available since July 2011 and monitors the performance and availability of the Windows Server 2008 SP2 or Windows Server 2008 R2 versions of AD RMS. By detecting, alerting on, and automatically responding to critical events and performance indicators, this Management Pack helps indicate, correct, and prevent possible AD RMS related service outages. The System Center Monitoring Pack for Active Directory Rights Management Services for Windows Server 2008 SP2 or Windows Server 2008 R2 helps ensure that your AD RMS components are available and working correctly.

In September 2012, Microsoft released a version 7.x of the Management Pack for Active Directory Rights Management Services. This Management Pack can be used to manage Rights Management Services, running on Windows Server 2012. For Rights Management Services running on Windows Server 2008 and Windows Server 2008 R2, the 6.0.7xxx.x version of the Management Pack is the one to use. For sturdy Rights Management Servers on Windows Server 2003, the 6.0.5000.0 version of the Management Pack offers the desired monitoring capabilities.

Download MP for Windows Server 2003 Rights Management Services v6.0.5000.0
Download MP for AD Rights Management Services v6.0.7597.0
Download MP for Windows Server 2012 AD Rights Management Services v7.0.8560.0

Related blogposts

Active Directory Domain Services Management Pack for System Center updated last week
System Center Monitoring Pack for Active Directory was updated today

Related downloads

System Center Management Pack for Windows Server Operating System
System Center Management Pack for Windows 8 Client Operating System

Active Directory Services and PowerShell manageability

Sander Berkouwer — Fri, 10 May 2013 15:45:10 GMT

As you might be aware, every Microsoft server product has the requirement to be manageable through PowerShell and System Center. The PowerShell requirement is formulated as part of the Common Engineering Criteria (CEC).

With PowerShell available as a version 3 product (and part of Windows Server 2012) it’s time to see how the teams, responsible for the Active Directory products have built their management stories around PowerShell.

Active Directory Domain Services

The Active Directory Domain Services, that we love and loath as the core of our networking infrastructure on our Domain Controllers is manageable through PowerShell scripting. To enjoy PowerShell support in Active Directory Domain Services, it is recommended to manage your Domain Controllers from Windows Server 2012 or from a Windows 8 installation with the Remote Server Administration Tools (RSAT) for Active Directory installed. This way you can enjoy the 135 Active Directory Domain Services management-related PowerShell Cmdlets and 9 Active Directory Domain Services deployment-related PowerShell Cmdlets.

The Active Directory Domain Services team even went a few steps further and incorporated the PowerShell History viewer into the Active Directory Administrative Center (dsac.exe), that helps you discover the PowerShell magic that happens under the hood.

A couple of exceptions still exist, that make it impossible to manage Active Directory Domain Services from the PowerShell prompt completely. Tools like ntdsutil.exe, dsamain.exe, redirusr.exe and redircmp.exe come to mind, almost immediately. On the other end of the spectrum, several other functions in Active Directory Domain Services are only easily manageable with PowerShell. MSAs come to mind, quite to my own surprise...

Active Directory Lightweight Domain Services

The Active Directory Lightweight Domain Services offer specialized Domain Services, targeted at applications and perimeter networks. Their charm is you can manage the Lightweight Directory Services (mostly) with the same tools as you can manage the Directory Services in PowerShell (as long as you install the AD LDS Display Specifiers schema and Display Specifiers by importing MS-ADLDS-DisplaySpecifiers.ldf.).

Alas, the PowerShell learning ability, offered by the Active Directory Administrative Center (dsac.exe), is not available for Active Directory Lightweight Directory Services, since this management tool can not be directed to a Lightweight Directory Services installation.

Since most tools are exchangeable between Lightweight Directory Services and Directory Services, roughly the same exceptions for full PowerShell manageability exist.

Active Directory Certificate Services

Active Directory Certificate Services enable you to run Certification Authorities on Windows Servers. For Windows Server 2012, the team behind Active Directory Certificate Services has developed twelve PowerShell Cmdlets to deploy Certificate Services. Also an additional nine PowerShell Cmdlets were specifically created to manage certificates, but you can also manage these by mounting the Certificate Store as a PowerShell drive, if need be.

In versions of Windows Server earlier than Windows Server 2012, no built-in PowerShell Cmdlets were available to manage Active Directory Certificate Services, but you could rely on certutil.exe to script through them.

Active Directory Federation Services

As was the case with Active Directory Federation Services 2.0, which was a separately downloadable installation, Active Directory Federation Services 2.1, that comes bundled with Windows Server 2012, can be managed through PowerShell. A total of 48 Active Directory Federation Services-related PowerShell Cmdlets are available on Windows Server 2012, covering both deployment and management.

Active Directory Rights Management Services

As you might expect, the Active Directory Rights Management Services in Windows Server 2008 R2 and Windows Server 2012 are also PowerShell-enabled. Three straightforward Rights Management Services deployment-focused PowerShell Cmdlets (appropriately named Install-ADRMS, Uninstall-ADRMS and Update-ADRMS) and 21 Rights Management Services administration-focused PowerShell Cmdlets are at your disposal.

Related blogposts

New features in AD DS in Windows Server 2012, Part 4: New PowerShell Cmdlets
New features in AD DS in Windows Server 2012, Part 5: PowerShell History Viewer

Active Directory Services on Server Core installations

Sander Berkouwer — Thu, 09 May 2013 18:58:18 GMT

Windows Server 2012 is a major leap forward for Server Core installations of Windows Server. Not only are Full installations of Windows Server convertible back and forth to Server Core installations without reinstallation, a whole slew of new Server Roles have become available for installation on the mean, clean Server Core installations.

Active Directory Domain Services have been available since day 1 on Server Core installations, but what about the other four services? Can you install these on Server Core?

The table below shows the Active Directory services, available for installation on Server Core installation of Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012:

You can install the Active Directory Services on Server Core installations in four ways:

From the command-line of the Server Core installation using:
1. dism.exe, pkgmgr.exe or the Install-WindowsFeature / Add-WindowsFeature PowerShell Cmdlet on Windows Server 2012
2. dism.exe or pkgmgr.exe or the Add-WindowsFeature PowerShell Cmdlet (after you’ve manually installed PowerShell and have imported the ServerManager PowerShell module) on Windows Server 2008 R2
3. ocsetup.exe or pkgmgr.exe on Windows Server 2008
From the command-line of the Server Core installation over a Remote Desktop Connection.
From a remote command-line of a Full installation of Windows, a full installation of Windows Server or another Server Core installation of Windows Server through remote PowerShell or Windows Remote Management (winrs.exe).
From Server Manager in Windows Server 2012, targeted at a Server Core installation of Windows Server 2012. This method does not work with Windows Server 2008 or Windows Server 2008 R2.

Related blogposts

Installing Server Core Domain Controllers
How to install a Server Core R2 Domain Controller
The importance of Server Core
Server Core Roles and Features in 2008 R2
Some Server Core Domain Controllers heading for a dead end street
How to get going with PowerShell in Server Core R2

Identity and Authentication in the cloud: Office 2013 and Office 365 (Poster)

Sander Berkouwer — Wed, 08 May 2013 06:19:06 GMT

Last week, Microsoft released a poster, detailing identity and authentication for Office 2013 and Office 365. It details the scenario where you would provision accounts in Microsoft's Online Services environment (Scenario 1) and also details the scenario where you would federate your on-premises Active Directory infrastructure with Microsoft's Online Services environment (Scenario 2):

You can download the poster in both PDF and Microsoft Visio Drawing (*.vsd) format. The PDF can be used across Operating Systems (as would identity and authentication in the cloud), where the Visio drawing can be used to reuse some of the drawing in your own drawings and/or presentations.

This PDF would also do nicely over your bed, but could also be used to escape from Alcatraz, if that more resembles your situation…

Today, Microsoft has released an update to the Server Posterpedia app. I’ve mentioned this app before and it has seen several updates since. Today, the Identity and Authentication in the cloud: Office 2013 and Office 365 Poster was added to the app. You’ll be able to spot it when you scroll to the right in the app under Office.

Best Practices for Securing Active Directory

Sander Berkouwer — Fri, 26 Apr 2013 08:05:19 GMT

Today, Microsoft has released a document, detailing the Best Practices for Securing Active Directory Domain Services.

The document contains 22 best practice recommendations to assist organizations in enhancing the security of their Active Directory installations. By implementing these recommendations, organizations will be able to identify and prioritize security activities, protect key segments of their organization’s computing infrastructure, and create controls that significantly decrease the likelihood of successful attacks against critical components of their networking environments:

Patch applications.
Patch operating systems.
Deploy and promptly update antivirus and antimalware software across all systems and monitor for attempts to remove or disable it.
Monitor sensitive Active Directory objects for modification attempts and Windows for events that may indicate attempted compromise.
Protect and monitor accounts for users who have access to sensitive data.
Prevent powerful accounts from being used on unauthorized systems.
Eliminate permanent membership in highly privileged groups.
Implement controls to grant temporary membership in privileged groups when needed.
Implement secure administrative hosts.
Use application whitelisting on domain controllers, administrative hosts, and other sensitive systems.
Identify critical assets, and prioritize their security and monitoring.
Implement least-privilege, role-based access controls to administer the directory, its supporting infrastructure, and domain-joined systems.
Isolate legacy systems and applications.
Decommission legacy systems and applications.
Implement secure development lifecycle programs for custom applications.
Implement configuration management, review compliance regularly, and evaluate settings with each new hardware or software version.
Migrate critical assets to pristine forests with stringent security and monitoring requirements.
Simplify security for end users.
Use host-based firewalls to control and secure communications.
Patch devices.
Implement business-centric lifecycle management for IT assets.
Create or update incident recovery plans.

The document also discusses the most common attacks against Active Directory and countermeasures to reduce the attack surface, and recommendations for recovery in the event of complete compromise.

The 321-page document (135 pages of main content and 185 pages with appendices A through M) is provided for free in *.docx format. Download it here.

Related blogposts

Auditing directory changes aka "Who deleted this object"
How to create and use confidential attributes
MS013-032 Vulnerability in Active Directory Could Allow Remote Code Execution (Important)Preventing Domain Controller promotions, cloning and demotions in Windows Server 2012
Updated Active Directory Capacity Planning Guidance Available (adsizer.exe Be Gone!)

Acknowledgements

Thanks to Meinolf Weber for the tip.

Applicability of Managed Service Accounts (MSAs) and group Managed Service Accounts (gMSAs)

Sander Berkouwer — Tue, 23 Apr 2013 13:12:01 GMT

Recently, one of my readers approached me with some questions on Managed Service Accounts (MSAs). From our discussion, I realized a lot of people may be unclear about the applicability of Managed Service Accounts (MSAs) and group Managed Service Accounts (gMSAs).

So, this blogpost features a comprehensive table, showing the applicability of Managed Service Accounts (MSAs) and group Managed Service Accounts (gMSAs) in a glance.

In this table you can quickly see which Operating Systems you can run services, configured with Managed Service accounts (MSAs) and group Managed Service accounts (gMSAs):

Managed Service Accounts (MSAs)

Managed Service Accounts (MSAs) were introduced with Active Directory Domain Services in Windows Server 2008 R2. Managed Service Accounts (MSAs) can be used to run services on domain-joined clients and servers, to address typical service account challenges:

Service account password changes are a nightmare and they tend to break stuff. Thus, many organizations configure service accounts with non-expiring passwords. Nonetheless, it is a best practice to change these passwords regularly, for these accounts have a high risk of getting their passwords brute-forced.
Passwords for service accounts are stored in plain text in registry. Sure, the passwords are protected, but still accessible if you know how.
The Scope of service accounts is not easily set. Service accounts can often be used outside the intended scope, for instance to set up VPN connections are send mail through the (authenticated) SMTP gateway.

Under the hood, Managed Service Accounts (MSAs) are a new type of object (msDS-ManagedServiceAccount), derived from the computer account object and living in the Managed Service Accounts container under the domain root.

Managed Service Accounts (MSAs) can be configured in Active Directory environments running Windows Server 2003 and Windows Server 2008 Functional levels. Domains at the Windows Server 2008 R2 functional level provide native support for both automatic password management and SPN management.

Group Managed Service Accounts (gMSAs)

Alongside the Managed Service Account (MSA), in Windows Server 2012, a new type of object is being introduced: the group Managed Service Account. (msDS-GroupManagedServiceAccount)

gMSAs provide the same functionality as MSAs within the domain but also extends that functionality over multiple servers. This way, gMSAs provide a single identity solution for services running on a server farm, or on systems behind Network Load Balance. By using gMSAs, services can be configured for the new gMSA object and the password management is handled by Windows.

group Managed Service Accounts (gMSAs) can be configured in Active Directory environments running Windows Server 2003 and Windows Server 2008 Functional levels. Domains at the Windows Server 2008 R2 functional level provide native support for automatic SPN management.

Pictures of the NGN Tablet Day

Sander Berkouwer — Thu, 18 Apr 2013 12:08:46 GMT

Yesterday, the Dutch Networking User Group organized the Tablet Day at the Reehorst in Ede, the Netherlands. Dave and I presented a 45-minute session on device management through ActiveSync. The whole day was packed with sessions from many speakers and it was a great success with good drinks and a dinner afterwards.

Some people took pictures during our session, so I thought of sharing some of them with you in this blogpost.

We had a big room with nice natural lighting, that felt like a breath of fresh air in contrast to the main auditorium of the Reehorst. The room was filled with 150 seats and, as you can see in the picture below, the majority of them were used by people attending our session:

Since this was the third time Dave and I presented on the topic, we felt pretty confident and had a lot of fun discussing the IOS 6.1 ActiveSync bug, the effects of ActiveSync settings on various tablet and phone models and the missing Swipe Password API on Android-based devices:

I will be speaking at the UK VMUG Meeting in London

Sander Berkouwer — Wed, 17 Apr 2013 07:00:02 GMT

I just received confirmation on speaking at the UK Virtual Machine User Group (VMUG) Meeting in the Hilton Doubletree hotel in London on Tuesday May 21, 2013.

I will be delivering my session on virtualization-safe(r) Active Directory and Domain Controller Cloning. The same session I have been delivering for the past year at numerous events, including the Dutch 2013 Microsoft TechDays.

About the UK Virtual Machine User Group

The UK Virtual Machine User Group (VMUG) is an association of persons with a vested interest in the successful deployment of virtual infrastructure and their associated technologies.

The committee are all volunteers and are directly employed to manage and design virtual infrastructure in their organizations.

VMUG UK is the largest independent cloud and virtualization user group in the UK. As a user group, run by administrators and architects of virtualized systems, the VMUG is all about the contents in the presentations at their events, meeting like minded engineers and learning about new products and trends.

In contrast to other VMUGs, the UK VMUG has a broader view on virtualization than most VMUGs, who mostly focus on VMware-only virtualization.

About the London Meeting

The London meeting will take place from 9AM to 4PM on May 21, 2013 at the Hilton Doubletree hotel.

The meeting is packed with presentations from Microsoft, VMware, York University, EG Innovations and Verizon. Also, attendees will be able to discover VMware automation in the available lab environment. As an attendee looking at advancing your career in virtualization, arrange for a one to one meeting with UK's largest virtualization and cloud employment agency during the Career Clinic.

After the event there will be a bar from 4PM to 6PM.

Register today to attend this meeting.

KnowledgeBase: You cannot use redirusr.exe and redircmp.exe in the Windows Server 2008 DFL on Windows Server 2008

Sander Berkouwer — Mon, 15 Apr 2013 15:29:53 GMT

In the past years, I’ve found many systems and many errors. Today, I’m sharing behavior in Microsoft Windows Server that had me frown and chuckle. A bug in Active Directory code I’ve been grateful for, since it illustrates the nature of software.

Note:
This behavior has not been publicized in the Microsoft KnowledgeBase (yet).

In the past two versions of Windows Server, the Active Directory team has made an effort to migrate all of the command-line stuff to PowerShell. Two of the command-line tools I still use frequently, however, have not been converted to PowerShell: redirusr.exe and redircmp.exe.

redirusr.exe and redircmp.exe were my partners in crime for the last couple of years, in which I setup loads of Active Directory structures for small sized organizations, following the Best Practice Active Directory Design for Managing Windows Networks. I used them in newly setup environments to automatically place newly created computer and user accounts in specific Organizational Units (OUs) in Active Directory.

A short history on redirusr.exe and redircmp.exe

Microsoft introduced the ability to change the default container (or Organizational Unit) where new users and computers are stored in the Windows Server 2003 Domain Functional Level (DFL). Both tools won’t work in Windows 2000 Domain Functional Level. When using the commands on a Windows Server 2008-based Domain Controller for a domain with the Windows 2000 Domain Functional Level both tools error out with the following message:

Error, unable to modify the wellKnownObjects attribute. Verify that
the domain functional level of the domain is at least Windows Server 2003:
Unwilling To Perform
Redirection was NOT successful.

This is by design. As the error indicates you need to raise the Domain Functional Level (DFL) to Windows Server 2003. It is not the subject of this blogpost.

Using redirusr.exe and redircmp.exe

On a Windows Server 2003-based Domain Controller and Windows Server 2008-based Domain Controller in an Active Directory domain with the Windows Server 2003 Domain Functional Level (DFL) you can use the following commands:

dsadd ou "OU=Redirected Users OU,DC=DomainName,DC=Tld"
dsadd ou "OU=Redirected Computers OU,DC=DomainName,DC=Tld"
redirusr "OU=Redirected Users OU,DC=DomainName,DC=Tld"
redircmp "OU=Redirected Computers OU,DC=DomainName,DC=Tld"

These commands will add two Organizational Units with names Redirected Users OU and Redirected Computers OU. After creation it will run the two commands to automagically place new useraccounts and computeraccounts in the new OUs.

The below two commands will output the following message, when successful:

Redirection was successful.

Now for the bug…

I expected the above commands to work on a Windows Server 2008-based Domain Controller for an Active Directory domain with the Windows Server 2008 Domain Functional Level (DFL)…

Unfortunately this is not the case. The error message is:

Error, unable to modify the wellKnownObjects attribute. Verify that
the domain functional level of the domain is at least Windows Server 2003:
Referral
Redirection was NOT successful.

Obviously the Verify that the domain functional level of the domain is at least Windows Server 2003 part of the message is a standard message, but the part behind it is different, compared to the Windows 2000 Domain Functional Level output. It is apparently willing to perform, but was referred.

This is actual behavior on a Domain Controller running Windows Server 2008 RTM. (or Windows Server 2008 with Service Pack 1, if you want to be 100% correct)

Unfortunately there is no way to redirect users and computers using the redirusr.exe and redircmp.exe commands on a Windows Server 2008 RTM-based Domain Controller in an Active Directory domain with the Windows Server 2008 Domain Functional Level (DFL).

The workaround

To use the redirusr.exe and redircmp.exe commands in an Active Directory domain with the Windows Server 2008 Domain Functional Level (DFL), either:

Install Service Pack 2 on a Windows Server 2008-based Domain Controller and run the commands on this Domain Controller, or
Upgrade a Domain Controller to Windows Server 2008 R2 or Windows Server 2012 and run the commands on this Domain Controller.

MS013-032 Vulnerability in Active Directory Could Allow Remote Code Execution (Important)

Sander Berkouwer — Wed, 10 Apr 2013 08:25:59 GMT

It’s not often, that Active Directory Domain Controllers get security updates. The Active Directory Domain Services Server Role is one of the most robustly written code, as I pointed out in an earlier blogpost on Statistics on Active Directory-related Security Bulletins. Since 2001, Microsoft has issued 18 Security Bulletins with patches to address issues in Active Directory Directory Services, Active Directory Lightweight Directory Services and ADAM.

Yesterday, during the April 2013 Patch Tuesday, Microsoft has released a new Active Directory-related security bulletin: MS013-032.

This security update resolves a privately reported vulnerability in Active Directory. The vulnerability could allow denial of service if an attacker sends a specially crafted query to the Lightweight Directory Access Protocol (LDAP) service, that leads to excessive memory consumption and could cause the LDAP service to become non-responsive. This issue was privately reported to Microsoft and documented as CVE-2013-1282

This Security update is not classified as Critical, since an attacker must have valid logon credentials to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users. However, the affected component is available remotely to users who have standard user accounts. In certain configurations, anonymous users could authenticate as the Guest account.

Affected Operating Systems

This security update is rated Important for Active Directory, Active Directory Application Mode (ADAM), Active Directory Lightweight Directory Service (AD LDS), and Active Directory Services on the following, currently supported, Windows Server Operating Systems:

Active Directory on Windows Server 2003 SP2 x86
Active Directory on Windows Server 2003 SP2 x64
Active Directory Application Mode (ADAM) on Windows Server 2003 SP2 x86
Active Directory Application Mode (ADAM) on Windows Server 2003 SP2 x64
Active Directory Services on Windows Server 2008 SP2 x86
Active Directory Services on Windows Server 2008 SP2 x64
Active Directory Application Mode (ADAM) on Windows Server 2008 SP2 x86
Active Directory Application Mode (ADAM) on Windows Server 2008 SP2 x64
Active Directory Services on Windows Server 2008 R2
Active Directory Application Mode (ADAM) on Windows Server 2008 R2
Active Directory Services on Windows Server 2008 R2 SP1
Active Directory Application Mode (ADAM) on Windows Server 2008 R2 SP1
Active Directory Services on Windows Server 2012

This security update is rated Low for Active Directory Application Mode (ADAM) and Active Directory Lightweight Directory Services (AD LDS) on the following, currently supported, Windows client Operating Systems:

Active Directory Application Mode (ADAM) on Windows XP SP3
Active Directory Application Mode (ADAM) on Windows XP Professional x64 SP2
Active Directory Lightweight Directory Service (AD LDS) on Windows Vista SP2 x86
Active Directory Lightweight Directory Service (AD LDS) on Windows Vista SP2 x64
Active Directory Lightweight Directory Service (AD LDS) on Windows 7 x86
Active Directory Lightweight Directory Service (AD LDS) on Windows 7 x64
Active Directory Lightweight Directory Service (AD LDS) on Windows 7 SP1 x86
Active Directory Lightweight Directory Service (AD LDS) on Windows 7 SP1 x64
Active Directory Lightweight Directory Service (AD LDS) on Windows 8 x86
Active Directory Lightweight Directory Service (AD LDS) on Windows 8 x64

The security update addresses the vulnerability by correcting how the LDAP service handles specially crafted LDAP queries.

On all affected Operating Systems, except for Windows 8 and Windows Server 2012, this security update replaces Security update MS011-095.

Guidance

You are urged to test and implement the update corresponding to the Security Bulletin on the affected Operating Systems running the aforementioned Active Directory services.

MS08-003 Security Update for Active Directory
A New Vulnerability in Active Directory (MS09-018)
MS11-095 Vulnerability in Active Directory could allow Remote Code Execution (Important)
Statistics on Active Directory-related Security Bulletins

Meet Azure Active Directory: Your Cloud-based Identity Service

Sander Berkouwer — Tue, 09 Apr 2013 07:05:41 GMT

Today, Microsoft made Azure Active Directory generally available (GA). This means it is ready for production use.

Azure Active Directory enables organizations to provision their users with a single identity that can be used to access applications that are run on Windows Azure, run by 3rd party cloud-based vendors and/or within their own datacenters.

Azure Active Directory offers four main capabilities:

It’s an Azure-based Active Directory environment, that you, as an admin, can use to authorize access to apps and services within your organization’s Azure, Intune and Office 365 subscriptions.

These Microsoft cloud services already rely on the identity management capabilities provided by Azure Active Directory. These capabilities include a cloud based store for directory data and a core set of identity services including user logon processes, authentication and federation services.
The Azure Active Directory that you create is able to federate with an on-premise Active Directory environment, based on open standards including SAML, OData and WS-FED. With federation and single sign-on enabled, your colleagues can access resources within your company, plus access cloud applications seamlessly with the set of credentials and means of authentication they are already familiar with.

With Identity controlled on-premises, colleagues can granularly be enabled for federation, granted access and revoked access. All without any delays.
Azure Active Directory can be used to leverage identity and access management to 3rd party cloud-based apps.

As an organization, you can leverage this functionality to use Azure Active Directory as your identity federation hub or identity provider (IP) to provide a seamless, single sign-on experience across your on-premises environment, Microsoft Online Services, 3rd party cloud services and applications built on Windows Azure with popular web identity providers like Microsoft Account, Google, Yahoo!, and Facebook.
Azure Active Directory offers the Azure Active Directory Graph. This is an innovative social enterprise graph providing an easy RESTful interface for accessing objects such as Users, Groups, and Roles with an explorer view for easily discovering information and relationships.

You may leverage any of these capabilities, independent of each other.

The best thing? Azure Active Directory is free.

KnowledgeBase: Unable to install Windows Server 2012 Essentials with domain suffixes .net, .corp, .com, .org etc

Sander Berkouwer — Mon, 08 Apr 2013 09:22:32 GMT

Microsoft has released KnowledgeBase Article 2830511, detailing a bug in the Installation Wizard of Windows Server 2012 Essentials, that prevents you from installing the server as a Domain Controller for an Active Directory domain with a public top-level domain (TLD), like .com, .corp, .org, .edu, .int and the country-specific top-level domains.

About Windows Server 2012 Essentials

Windows Server 2012 Essentials is the latest version of Windows Small Business Server Essentials. It is a flexible, affordable, and easy- to-use server solution designed and priced for small businesses with up to 25 users and 50 devices that helps them reduce costs and be more productive. Windows Server 2012 Essentials is an ideal first server, and it can also be used as the primary server in a multi-server environment for small businesses.

By removing the ‘Small Business Server’ moniker, Microsoft clearly communicates how Windows Server Essentials is positioned in the market relative to the other Windows Server editions. It does not come with Exchange Server, but it does come with client backup and remote web access.

Installing Essentials

As Microsoft aims Windows Server 2012 Essentials as the successor to Windows Small Business Server 2011, After installing Windows Server 2012, which is more or less identical to installing the Standard or Datacenter edition of Windows Server 2012, Microsoft assists system administrators, apparently installing their first server, with a wizard to configure the server; the Set Up Windows Server 2012 Essentials wizard.

The first screen of this wizard makes you verify the date and time settings. This is specifically useful when your time zone is not Pacific Time (-08h00 GMT). From an Active Directory point of view, though, it doesn’t matter since Active Directory, internally, runs at Greenwich Main Time (GMT). The second screen lets you choose between a Clean install and a Server migration.

The third screen is where the Active Directory magic happens:

The link What should I know before I personalize my server? explains that the Company name is used to associate your server with your company and the customize your company reports. You can type up to 254 characters for your company name.

The Internal domain name groups your server and client computers together to share a common database of user names, passwords, and other common information. Your users see this name when they log on to their computers, but is used internally only and is not the same as an Internet domain name. Your internal domain name must meet the following criteria:

Can be up to 15 characters long
Can contain letters, numbers and dashes (-)
Must not start with a dash
Must not contain any spaces
Most not contain only numbers

This screen only offers to set up your Windows Server 2012 Essentials as a Domain Controller for a .local domain name, where the NetBIOS name of the domain is equal to the second level domain name. The wizard does not offer to configure Windows Server 2012 Essentials as a Domain Controller for an Active Directory domain with a public top-level domain (TLD), like .com, .corp, .org, .edu, .int and the country-specific top-level domains. (ccTLDs)

Microsoft KnowledgeBase article 2830511 explains the absence of a sensible choice for the domain name as by design to simplify the user experience.

Now, I can agree to some extent, that preventing a situation where an inexperienced admin may create a single-label domain name, is a good goal. However, other means exist to prevent these associated problems. Since Windows Server 2008, for instance, when you try to create a single-label domain name, you are presented with the following error:

The DNS name "<single label DNS domain name> proposed for this Active Directory domain consists of a single label, which is not recommended. DNS domain name should be unique and fully qualified, consisting of one or more labels separated by a period ("."), followed by a top level domain.

Example: corp.<domain>.com

If you click No, you can assign a fully qualified DNS name like the example. If you implement a single-label DNS domain name, you must configure all member computers and domain controllers as described in article 300684 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=92467) so they can register records and resolve queries until the domain is retired.

Do you really want to assign a single-label DNS domain name to this Active Directory domain?

Also, targeting Windows Server 2012 Essentials as the cost-efficient server solution, brings back the point of not forcing business into register a public domain name (at up to $10 per year).

The part I can’t agree with is the absence of the ability to create a domain name with a public top-level domain (TLD), since Microsoft has repeatedly made this a best practice approach.

Many Microsoft products and services assume your internal domain name ends with a public top-level domain (TLD). Lync Server and Exchange Server, for instance, are easier installed, configured and integrated when using the public DNS domain name. Also, Single Sign-On with Office 365 is problematic when you use a DNS domain name ending with a non-public top-level domain (TLD).

Configuring Essentials with a public TLD

Now, while the Set Up Windows Server 2012 Essentials wizard does not give you the option to configure the Active Directory domain name with a public top-level domain (TLD), it is possible to configure Windows Server 2012 Essentials with a public top-level domain (TLD) through the answer file method.

To this purpose you’ll need to place a plain text file named cfg.ini in the root of removable media (floppies not allowed, sorry) and make sure the media is available to Windows Server 2012 Essentials at the moment you set it up.

The fields NetBiosName and DNSName can be used to configure your Windows Server 2012 Essentials with the Active Directory domain names you’d like to use. More information on creating the contents of cfg.ini can be found here.

Note:
Windows Server 2012 Essentials configures Active Directory with the Windows Server 2012 Domain Functional Level (DFL) and Windows Server 2012 Forest Functional Level (FFL). There is no way in cfg.ini to configure it otherwise. You will need to configure a Domain Controller on Windows Server 2012 Standard first and use the Server migration option in the Set Up Windows Server 2012 Essentials wizard. Afterwards, you can remove the Windows Server 2012 Standard Domain Controller from the network.

The things that are better left unspoken

Common Challenges when Managing Active Directory Domain Services, Part 2: Unnecessary Complexity and Token Bloat

The challenge

Token bloat

(Part of) The solution

Optimizing communication

Mitigating factors

Cleanup

An alternative solution

Concluding

Related blogposts

Further reading

I’ll be staffing at TechEd North America 2013

Common Challenges when Managing Active Directory Domain Services, Part 1: Security

The challenge

Stale user objects

Stale computer objects

(Part of) The solution

Optimizing communication

Mitigating factors

Cleanup

Cleaning stale computer objects

Cleaning stale user objects

Concluding

Related blogposts

Related Microsoft Knowledgebase articles

Further reading

Active Directory Services and their System Center Management Packs

Active Directory Domain Services

Active Directory Lightweight Directory Services

Active Directory Certificate Services

Active Directory Federation Services

Active Directory Rights Management Services

Related blogposts

Further reading

Related downloads

Active Directory Services and PowerShell manageability

Active Directory Domain Services

Active Directory Lightweight Domain Services

Active Directory Certificate Services

Active Directory Federation Services

Active Directory Rights Management Services

Related blogposts

Further reading

Active Directory Services on Server Core installations

Related blogposts

Further reading

Identity and Authentication in the cloud: Office 2013 and Office 365 (Poster)

Best Practices for Securing Active Directory

Related blogposts

Acknowledgements

Applicability of Managed Service Accounts (MSAs) and group Managed Service Accounts (gMSAs)

Managed Service Accounts (MSAs)

Group Managed Service Accounts (gMSAs)

Further reading

Pictures of the NGN Tablet Day

Further reading

I will be speaking at the UK VMUG Meeting in London

About the UK Virtual Machine User Group

About the London Meeting

Further reading

KnowledgeBase: You cannot use redirusr.exe and redircmp.exe in the Windows Server 2008 DFL on Windows Server 2008

A short history on redirusr.exe and redircmp.exe

Using redirusr.exe and redircmp.exe

Now for the bug…

The workaround

Further reading

MS013-032 Vulnerability in Active Directory Could Allow Remote Code Execution (Important)

Affected Operating Systems

Guidance

Related Posts

Further reading

Meet Azure Active Directory: Your Cloud-based Identity Service

Further reading

KnowledgeBase: Unable to install Windows Server 2012 Essentials with domain suffixes .net, .corp, .com, .org etc

About Windows Server 2012 Essentials

Installing Essentials

Configuring Essentials with a public TLD

Further reading

Related KnowledgeBase articles