Microsoft Exchange and Active Directory Blog
In an Active Directory domain, the problem occurred that no new computers could be added to the Active Directory. The error message when adding the client was as follows: In the domain, an Identity Manager was able to create the computer before it was added to the Active Directory (pre-staged) and not only when it was added ... Read more
Windows Server 2025 offers new features for Active Directory (AD DS) and Active Directory Lightweight Domain Services (AD LDS) for the first time in a long time. With the new features, Active Directory scales better even in very large environments and brings additional improvements for security and stability. Optional feature for 32k database page size Since the introduction of Active Directory ... Read more
The new Windows Server 2025 brings some new features for the Active Directory and also makes the upgrade particularly easy. An inplace upgrade to Windows Server 2025 is possible from Windows Server 2012 R2 without an intermediate step. In principle, only the Server 2025 ISO needs to be mounted and it can be upgraded directly. In ... Read more
Like the updates for Exchange Server, the March update for Windows Server also contains a serious error. The update causes a memory leak in the LSASS process, which can then lead to a domain controller restarting or crashing. Only domain controllers are affected by this problem; the problem does not occur on normal member servers. Currently ... Read more
Some Active Directory features cannot be defined for organizational units but only for AD groups. One example of this is Fine Grained Password Policies. If you still want to apply such features to all users of an organizational unit, simply create a group with all users who are stored in the OU. This group is also called a shadow group. ... Read more
Service accounts for starting Windows services or scheduled tasks are often configured with the "password never expires" attribute and then used for years. Often such service accounts are also alienated for a specific purpose and used on many servers for a wide variety of tasks. Service accounts with far-reaching authorizations and passwords that never expire then make it easier for ... Read more
Some readers of this blog have requested an article on delegating admin authorizations. Most requests revolve around the fact that certain administrative tasks, such as creating user accounts or resetting passwords, should be carried out by users. Of course, these users should not have Domain Admin authorizations, but only the authorizations required for their activities. Read more
Sometimes it may be necessary to subsequently change the IP and host name of a domain controller, for example if a new domain controller replaces an old one and is to be accessible under the same IP and name. Changing the IP address of a domain controller is normally possible without any problems, changing the host name of a domain controller ... Read more
I recently fell into this trap, because with time-critical VMs, such as domain controllers, which are operated on VMware vSphere, you have to pay attention to a small peculiarity. Since an incorrect time can have far-reaching consequences, here is a short article on the subject. The following problem has occurred. An NTP server ... Read more
In the third part of the article series "Simple measures for more security in AD", I dealt with LAPS for servers and clients. Admittedly: The LAPS article was written some time ago, but the topic has not been forgotten. That's why there is now a new article on "Simple measures for more security in AD". In this fourth part ... Read more
