ActiveDirectory

Create Shadow Groups (Dynamic Groups) in Active Directory

Recently I faced a request from a client wanting a Dynamic Security Group in Active Directory which automatically update its members.. However we do have the concept of dynamic objects in Active Directory (I promise to speak on that on another article), but this one was completely different. The client wanted to have a security group which automatically removes the disabled users from it. So I started a lovely conversation with my lovely friend PowerShell.

Am I locked out? Where? How?

Manipulate delegation wizard in Active Directory

Ever wanted to add your custom attribute to Delegation Wizard feature of Active Directory? Then you came to the right place. Sometime it can happen that default attributes of ‘Delegation Wizard’ are not just enough for you and you would like to add more options to it. In order to do that, you have to edit delegwiz.inf file which you can simply find it on a Domain Controller.

Why DNS Scavenging is not working?

Scavenging feature in DNS is one of the tricky features of DNS console. Although it is quite easy to understand the concepts and configuration of scavenging feature, I have seen many cases where stale records are not being scavenged due to a misconfiguration. 

What is Secure Channel in Active Directory?

The word channel is easy to explain. Channel is a way of communicating with people or getting something done. Considering that communication can be a public process, a question will pop up that how can I secure my communication? That’s where the word secure comes into play. A combination of these two words will result in a concept which is absolutely crucial in Active Directory environment and that’s Secure Channel. The term “Secure Channel” can be defined as a way which authenticates the requestor and also provide confidentiality and integrity of data sent across the way.

Manipulating Active Directory search and add custom attribute

Delegation Wizard is one of the great features in delegating permissions to a group or user in order to delegate the responsibility and administering of objects in Active Directory. This wizard is maintained using delegwiz.inf file in each domain controller. In this tutorial we will cover how to manipulate this wizard and add our custom tasks into the default tasks of Delegation Wizard.

Manipulating the delegation wizard is not a difficult process. Firstly you have to navigate to %systemroot% and copy the delegwiz.inf file to your desktop. We have to do this because the file is protected and you are not allowed to overwrite the file. Once you copied the file you open it using notepad and edit using the following way.

Lingering Objects in Active Directory and How To's?

There are some specific concepts in active directory which may put your environment in trouble if you do not attend to fix them as soon as you notice. One of them is lingering objects. Defining the meaning of Lingering Objects (LO) is not difficult. Basically, if an object in your active directory partitions exist in one or more domain controllers and not exist in the rest of the domain controllers in the same partition. So you may ask yourself how that is possible to have an object in a DC and not having the same object in another DC? So what is the responsibility of replication? Wasn’t it designed in order to have a synchronized AD database in your environment? We are going to cover your questions as well.

Customize DST start and end time across the forest

Many countries advance their clock for 1 hour at very first day of the spring. Considering this concept, people simply get up in the morning at first day of the spring and set their clock. For Iran, every year, clocks will be advanced by 1 hour in 29th of Esfand ( The last day of winter), but Microsoft is not aware of when the 29th of Esfand is. 

Winning the Active Directory interview

During your career you might find yourself in situations like moving jobs or ptomoting etc. Well if you are looking for a list of concepts in order to brush up before your interview, this list can be a thing for you. However, the list below is just a list of topics which you can use in order to brush up your knowledge, not a baseline. So besides this list, you better know the stuff very well.

Best practices for FSMO roles placement

When the first domain controller is installed in your environment, all five roles are established in that domain controller and also that domain controller will be flagged as global catalog server. It is quite clear if the following DC which holds all the roles fails, there will be no logons. There are some reasons to place FSMO roles in different places like: Availability and Load on the server.