When you’re a little too careless about virtualizing your domain controllers, cloning, migrating, backing up and restoring, returning from vacation and deciding that having a single box holding all the FSMO roles is dangerous to the network, you will inevitably find yourself in the same situation I’ve found myself in. A tell-tale sign that you need to manually reset the KDC secure channel on your problematic domain controller can be diagnosed with the following symptoms: Any mechanism that relies on Kerberos authentication tickets will fail Practically all subsystem services and listening endpoints will cease to function (non KDC-related services like […]
If you’ve found yourself here then chances are you messed up one of your domain controllers or at least one of your DHCP Servers. I admit I did. More than once. And I’m tired of querying for the elusive “Remove-DhcpServerv4Failover” PowerShell script to force delete the Windows Server DHCP failover relationship. The way content makes its way onto this site is usually split into two categories: Repetition, and one time specialized content not found on the internet (at least difficult). Pick the server you want to keep. Look at your DHCP leases and determine which might be the most […]
A few years ago in a past life I performed an Active Directory migration from a 2003 functional level to 2008 R2 with ADMT 3.2 accompanied by an Exchange 2007 to 2010 migration. The only problem I ran into was that the old X500 addresses for the mailboxes aren’t migrated to the new mail system. The cached auto-complete email addresses in Outlook use the X500 address for internal emails which caused internal to internal email to fail. Once the auto-complete addresses were wiped out everything was fine and Outlook began creating new auto-complete data with correct X500 data. It’s a […]
If you have ever wanted to decommission an old file/SQL server while bringing another online to replace it and keep the existing hostname alive as an alias of the new system, you may want to force a duplicate SPN. Setspn.exe has had duplicate SPN detection built-in to it since the Windows Server 2008 release when using the “-S” option. You can bypass the duplicate SPN detection by using the “-A” option however. Creation of a duplicate SPN is blocked when targeting a Windows Server 2012 R2 DC using SetSPN with the -A option. The error message displayed is the same […]
In Outlook 2007 through Outlook 2010 all domain-joined Outlook clients would initially query Active Directory for AutoDiscover information and ultimately find a Service Connection Point (SCP) value that would point them to their nearest Client Access Server’s AutoDiscover virtual directory. If that failed then they would revert to using DNS like any non-domain-joined Outlook client. Non-domain-joined Computer Lookup Order: https://company.com/autodiscover/autodiscover.xml https://autodiscover.company.com/autodiscover/autodiscover.xml Local XML File http://company.com/autodiscover/autodiscover.xml (looking for a redirect website) SCP AutoDiscover Record Domain-joined Computer Lookup Order: SCP lookup HTTPS root domain query HTTPS AutoDiscover domain query HTTP redirect method SRV record query
Recently I had the impulse to populate existing AD user object property fields with phone numbers, titles, companies, and office; however, I wanted to use PowerShell to bulk import instead of the old ldifde method or manual labor. It was actually quite easy, but it does require some time massaging the CSV file in Excel.