Category: Active directory migrations

Working with the on-premises AD Recycle Bin

20th February, 2024

Generally in day to day identity management you would not often need to resort to the Active Directory Recycle Bin, but when you do, typically it is a high priority request and you find yourself having to reacquaint yourself with the commands you need. Accidental deletion scenarios Where we have seen the need to restore […]

Active Directory: Source has exceeded the tombstone lifetime

19th June, 2019

I was working with a client recently who had various Active Directory replication issues. They had a multi-domain forest in Windows Server 2008 R2 functional levels. Now the two fundamental errors were DNS zones duplicated between the domains (including the zones used by the subdomains) Network firewalls between the domain controllers One big call out […]

Inside Kerberos – 7: Wrap up

17th May, 2018

Alright, we’ve covered a lot of ground, but let’s wrap up by grabbing our original questions and answering the 1. Why is there a problem with SIDHistory and Domain Local Groups, and exactly what is the problem? We’ve seen that Domain Local groups can have sid-history applied from one domain to another, this allows for […]

Inside Kerberos – 6: Conversations

10th May, 2018

We have covered a lot of ground so far, and we have touched on the Kerberos conversations that go on, but let’s take a deeper look at exactly how these messages are made up and how they are protected. Elements to protect the transmission Secret Keys Secret keys are stored inside the Security Account Manager […]

Inside Kerberos – 5: Tokens

3rd May, 2018

Alright then, we’ve covered SIDs, SIDHistory, and Tickets.  Let’s move onto Access Tokens. Privilege Access Certificate The Privilege Access Certificate or PAC is a Microsoft extension to Kerberos utilizing the Authorization Data field in the tickets.  This is sometimes referred to as the Access Token, however strictly speaking the Access Token is the structure generated […]

Inside Kerberos – 4: Tickets

25th April, 2018

Ok I think we have talked enough about SIDs in the previous two parts on SIDs and SIDHistory.  Let’s move on to Kerberos tickets… Luckily in Kerberos there are really only two tickets (which confusingly are sometimes also referred to as Tokens) Ticket Granting Ticket (TGT) Service Ticket (ST) Both of these tickets are issued […]

Inside Kerberos – 3: SIDHistory

19th April, 2018

In this blog we will be exploring SID History, and it follows on from Part 1 which gave an overview of Kerberos, and Part 2 which was all about SIDs. The attribute sid-history has been there right since Windows 2000 and is used to store all of the SIDs that an object has had.   […]

Inside Kerberos – 2: SIDs

12th April, 2018

In Part 1 we set the scene in regards to how Kerberos works at a high level, so let’s now get down and dirty with Security Identifiers (SIDs) What is a Security Identifier (SID)? From MSDN: “A security identifier (SID) is a unique value of variable length used to identify a trustee. Each account has […]

Inside Kerberos – 1: Overview

5th April, 2018

I recently did some work at a client to help migrate them to a new Active Directory.  While setting up the migration including password and SidHistory syncs I told them to be careful of Domain Local Groups which can cause issues if users are nested directly in them.  Now I knew this was true, but […]

Get all possible AD Attributes for User or Group

20th September, 2017

I recently had to work out what the full set of attributes was that could be set against a user or a group in Active Directory.  My first thought was ok why not just grab a user in PowerShell and ask to see all properties Get-ADUser -ResultSizeLimit 1 -Filter * -Properties * However that only […]

Windows Server 2016: Access Denied for Admin Shares

5th September, 2017

We recently had an issue that started of with a problem promoting some domain controllers in Azure.  We’d set up the site to site VPN and wanted to stretch the Forest into Azure.  It seemed like a simple plan…  Problems arose when we promoted the domain controller with errors such as System log: Can’t process […]

Backup GPO Settings with retention

26th May, 2017

Backing up Active Directory should be part and parcel of creating a forest, however an often overlooked area is GPO settings.   Of course these are backed up along with AD, but restoring settings from an AD backup is pretty traumatic.  GPO settings should be backed up so that you can quickly apply an older version or […]

1