How can I link a GPO to the Computers Container

Well. The easy and correct answer is you cant. The computer container is a container and not an organizational unit. Why not you may wonder. [Read more…]

What to remove in DNS to to stop Client Access to Domain Controllers

So you want to get rid of a domain controller, but dont want incidents with systems configured directly to that controller?

First of start with disabling the dynamic registration of the Domain Controller in DNS. The easy way of doing that is by setting the registry value of UseDynamicDns to 0.

So now the Domain Controller wont register it self in the DNS again. So now lets start to remove entries from the DNS. There exist a list in the %WINDIR%\System32\config\netlogon.dns, Below is an example of that list. [Read more…]

Using Network Monitor to check for LDAP traffic before demoting Domain Controller.

Well a simple capture filter I used to find what machines used the LDAP service on a Domain Controller I was demoting. But before running this I needed to remove a couple of DNS references to the server so clients wouldnt get here.

Well this includes lots of traffic We dont really want so lets ignore all traffic with other domain controllers.

Add the output with an AND OUTPUT GOES HERE to the end. So it will look like this:

But wait, what is ::1 doing in there? Well if you have IPv6 the resolver will return that IP, so dont worry. Now just lets see who talks with the server. And migrate make sure they dont have any static entries pointing at this Domain Controller.

Update 30/1, added requirement of synflag to reduce packets to only initial.

Using powershell and SIDs to change ACLs

Recently I needed to create lots of users and homedirectories. This gave a me an challenge. How can I grant rights on a homefolder in seconds after creating an user.

If you create a user and then a folder, then set the rights. Go to the properties>securities tab, if you search for the user it takes a while before the domain controller has information about the new user.

So how do you create thousands of users without setting long delays to allow for Active Directory replication? You turn to SIDs. The SID is the Security Identifier of the account, its the SID that is saved in the ACL.

If you go into the securites tab now you should see the SID unless you are already talking to the same DC that created the user.

So I got a comment from Francis Favorini that I could simplify the account creation and SID retrieval parts. So I implemented those parts too.

Default DFS configuration changes

The DFS service is used in ALL Active directory domains even if you dont really configure one yourself. The DFS service has some fixes that I always try to implement to get a smoother experience for both the end users and IT support crew. I have documented a couple of DFS registry configuration entries in this blog.

Below are a few default configuration changes I usually do. These are mostly recommendation from Microsoft. [Read more…]