As a Premier Field Engineer, I visit new customers every week and every customer, and I mean every customer, has the KDC 11 events in their system event logs. Consequently, I have to explain to customers what this means and how to clean it up. But rather than just saying, “Look, these accounts have a duplicate SPN’s and use setspn or adsiedit to clean them up”, I like giving the back story about how duplicate SPN’s break authentication and what would happen if the KDC issued Kerberos tickets for resources with duplicate SPN’s.  So, here’s the dialogue of my weekly explanation of Kerberos and duplicate SPN’s. By the end, most…

How to Track the Who, What, When and Where of Active Directory Attribute Changes – Part I (The Case of the Mysteriously Modified UPN) Quick Review – The story you’re about to hear is true and the names have been changed to protect the innocent… Some unknown process, running on some unknown computer, at some unknown time was changing the UPN on the Active Directory user accounts. Since Contoso is running Windows Server 2003 R2 X64 Domain Controllers, we recommended they search the Security event log for Event ID 642 which indicates a successful “User Account Change”. The Event ID includes information that identifies the attribute which was changed and…

Note:  This is general best practice guidance for implementing schema extensions, not the testing of their functionality.  There may be some additional best practices around design and functionality of schema extensions that should be considered.  Understand that the implementation of a schema extension may well succeed, but the functionality around the extension may not behave as expected. As with any change to the Active Directory infrastructure, the two primary concerns around implementing a schema extension are: 1. Have you tested it, so you can be reasonably sure it will behave as expected when implemented in production? 2. Do you have a roll-back plan?  And is it tested? Digging into the…

First we have the parameters items as seen below. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters Version This entry Indicates which peers to accept synchronization from: NoSync. The time service does not synchronize with other sources. NTP. The time service synchronizes from the servers specified in the NtpServer. registry entry. NT5DS. The time service synchronizes from the domain hierarchy. AllSync. The time service uses all the available synchronization mechanisms. The default value on d

The task of mounting the snapshots of the volumes that contain Active Directory seems a bit like magic. How can you get to the Active Directory data contained in those snapshots? The secret is the DSAMAIN command. This is the executable that runs ADLDS. It is essentially a standalone LDAP server that shares almost all of its code with ADDS. You can use DSAMAIN to make the mounted snapshots look like a read-only LDAP server containing the Active Directory data as it was at the time the snapshot was taken. Consider this command: This mounts the ntds.dit file located in the c:\$snap_200712032318_volumed$\ntds\dit folder and makes it available to LDAP operations…

The virtualized domain controller (VDC) technical reference consists of the following topics: Virtualized Domain Controller Architecture Virtualized Domain Controller Deployment and Configuration Virtualized Domain Controller Troubleshooting Virtualized Domain Controller Technical Reference Appendix Virtualized Domain Controller Additional Resources

Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 Virtualization of Active Directory Domain Services (AD DS) environments has been ongoing for a number of years. Beginning with Windows Server 2012, AD DS provides greater support for virtualizing domain controllers by introducing virtualization-safe capabilities. Safe virtualization of domain controllers Virtual environments present unique challenges to distributed workloads that depend upon a logical clock-based replication scheme. AD DS replication, for example, uses a monotonically increasing value (known as a USN or Update Sequence Number) assigned to transactions on each domain controller. Each domain controller’s database instance is also given an identity, known as an InvocationID. The InvocationID of…

his topic lists resources that are available for using virtualized domain controllers. Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100) Virtualized Domain Controller Technical Reference (Level 300) Virtualized Domain Controller Cloning Test Guidance for Application Vendors Support for using Hyper-V Replica for virtualized domain controllers