How to purge Kerberos tickets of the system account
… or: How to update group membership information of the computer account. When updating Active Directory group membership of your users you usally ask them to logoff and logon again. You don’t tell them why, you just tell them to do so. What happens? When logging on again the group membership information of a user (within their kerberos tickets) gets updated and they can access the ressources they have access to. You can check which tickets a user has by using the klist command: But how about the system / computer account. You can’t logoff and logon the system account. You...
Read MoreAmbiguous Name Resolution (ANR) for LDAP
What is ANR? Ambiguous Name Resolution (ANR) is an efficient search algorithm associated with Lightweight Directory Access Protocol (LDAP) clients that allows for objects to be bound without complex search filters. ANR is useful when you are locating objects and attributes that may or may not be known by the client. A common use for ANR, for example, is in a situation in which a building name is known by the requesting client, but not the associated number. In this case, the physicalDeliveryOfficeName attribute may have a value of “Building 40” and a client might search for...
Read More“No such object” when configuring TPM on Windows Server 2012 or Windows 8
Scenario: You have a Windows Server 2012 or Windows 8 computer with TPM and you store your Bitlocker recovery and TPM owner information in Active Directory. When trying to configure the TPM hardware by using tpm.msc you get this error: Turn on the TPM security hardware This computer may require you to change the state of the Trusted Platform Module (TPM) manually. To perform this action, try turning on the TPM through the BIOS or performing a firmware update. Consult the computer manufacture’s documentation for instructions. There is no such object on the server. Error code: 0x80072030...
Read MoreCheck objectVersion on all Domain Controllers after schema update with PowerShell
Just copy and paste into PowerShell (Active Directory Module for Windows PowerShell) to get the version of AD schema on all domain controllers in current domain: $schemaContext = Get-ADRootDSE | %{$_.schemaNamingContext} Foreach ($dc in ([System.DirectoryServices.ActiveDirectory.DomainController]::findall( (new-object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$env:USERDNSDOMAIN)))) | %{$_.name}) { $path = 'LDAP://' + $dc + '/' + $schemaContext $Object = [adsi]$path $dc + ' ' + $Object.objectversion...
Read MoreStrange behavior with Data Protection Manager End User Recovery feature or not?
I recently activated the End User Recovery feature of Data Protection Manager 2012. I did the schema extension – which by the way added a ms-BackupSrv-Share attribute a ms-ProductionSrv-Share attribute a ms-SrvShareMapping class and a MS-ShareMapConfiguration container to my Active Directory. We’ll come back later to this… I also enabled EUR in DPM itself (Options > End-user Recovery). In the first few days this feature seemed to work really well and I was happy in the first place. But now, about 3 or 4 weeks later, I am experiencing some strange behavior. When looking...
Read MoreTape Label Studio
Why buy expensive barcode labels for backup tapes? Try Tape Label Studio for free. For more information on Tape Label Studio visit www.tapelabelstudio.com
Recent Comments