Wednesday, December 31, 2014

computer account secure channel

computers have sid, username, pw

logging onto domain with user/pass creates secure channel

secure channel brokem (do not join workgroup then domain. creates new sid, lose group member)

  • > 30day PW reset
  • os reinstall
  • LSA out of sync


  • ADUC reset compute, rejoin
  • DSMOD computer-reset, rejoin
  • NLtest (no rejoin or reboot)
  • powershell: test-coomputersecurechannel -repair

DSMOD command to reset computer acct

NLtest command to reset. issue on the PC

"server" is name of computer to reset computer acct

Powershell command. issue on the PC

Automated Methods Managing accounts

User acct and secuirty identifier - each user acct has unique SI even after same named acct is deleted and created.

ADSIedit tool to view AD attributes.

Automated methods


creating accounts automatically (bulk) using CSV file

DSADD - creates un protected objects.  case sensitive in object names.

Use excel spreadsheet using concatenate function

add or remove user to group

find department name of users

Using ADAC UI, modify multiple users property

  • DSRM


new-aduser command

disabled , inactive accounts

Locating disabled/inactive accts using ADAC

LDAP search string.

offline domain join

normally a DJ is manual local process

offline DJ benefits

  • save time and effort for large deployments (datacenters, labs, new dept, large scale PC deployment)
  • doesn't require network connectivity
  • auto-joined @ first boot and no reboot
  • unattended.xml if wanted
  • "/downlevel" for pre-R2 DCs
  • new in win-12: allows direct access config

Provisioning command to add computer to domain:

from DC, create Base64 security file valid only for computer named specified.

copy blob.txt (base64 security file) created in command above to target computer 

Djoin command:

from the computer to join, issue command then restart.

New in AD


  • deprecated now built into UI
  • adprep and other showstioppers handled in pre-requisites checks.
  • /unattended:<file> - custom files for installations

ADAM: UI improvements, PS History

AD recycle bin UI -done forest -wide.  Once enabled, it can't be disabled and requires all DC to be refreshed.

From ADAC 

From Powershell

To restore from recycle bin - restores all attributes

Activation via AD - no need to activate wuth KMS server but now with AD

Dynamic access control improvements

Virtualizing DCs - fixed issues with reverting to snapshots caused AD sync issue.

UI for fine grained PW - seperate passord policy within single domain

Flexible and secure tunneling

ADFS included

Domain join via direct access

srv records

  • DNS 'SRv" entries
  • critical to proper function of AD
  • locates DCs
  • locate other services (ie lnyc servers)

srv records can be replicated to DNS servers in forest or domain by right clicking on the zones.

To recreate srv resource records in the event of accidental deletion

Trusts and federations

four types of trusts

  • external - allow other domain to resources in another domain

  • shortcut -  direct trust to deep child level domain for quicker access without "walking the tree"

  • realm - non-windows domain (kerberos) interoperate with windows domain
  • forest - creates transitivity trust as in a normal forest domain trust 

federation - not a trust.  access to apparitions on different domain without a trust.

Global Catalog

Full copy of host domain objects
partial read-only of other domains in same forest


  • simpler searches across domains
  • no need to contact source DCs
  • UPN authentication
  • validates forest objects
  • universal group membership info

single domain-no burden

multi-domain - consider added replication

enabling GC 

if only GC is removed no one can log on

de-commissioned DCs need to be manually deleted from sites

Planning AD upgrade


  • usual win-12
  • dc upgrade (

forest functional level

  • no changes but still require /forestprep to upgrade to latest forst level

domain functional level (

  • w2k3 or greater
  • new win-12 for dynamic access control (http;//

identify domain functional level

identify forest functional level

forestprep and domainprep

adprep on media CD.  Issue command only on one DC as enterprise admn

launch win012 media CD within OS to upgrade

uninstalling AD and DC

Remove Role

De-select AD Domain service to remove.  It will prompt you to demote DC first

Must demote DC before removing AD.

Also force removal of DC but use only in extreme cases

ensure that another DNS and GC exists

enter new local administrator password

From a COre install

enter local admin password for the member server.