Add support for sha-2 and sha3 in Supported Kerberos Encryption Types
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797 https://web.mit.edu/kerberos/krb5-devel/doc/admin/enctypes.html#enctype-compatibility It seems like `aes128-cts-hmac-sha256-128` and `aes256-cts-hmac-sha384-192` are supported by other Kerberos implimentations, but not yet supported by Windows Server. Can those be added to Windows Server? Also can you please think about adding sha-3 based ones too?
Securing ldap in WIndows AD
Hello everyone. I would like to secure the use of LDAP within an Active Directory domain. My domain has three Windows 2022 DCs. Searching online, I found these suggestions: Enforce LDAPS (LDAP over SSL/TLS) Disable Plain-text LDAP Bindings Block or Restrict Port 389 (Optional but Recommended) Enable Channel Binding Tokens (CBT) Does it make sense to only allow certain users to browse LDAP? Could limiting LDAP browsing to certain users cause problems? ThanksWindows 11 automatically restarting after install security Update — With GPO and WSUS.
Hi everyone, I’m facing a strange behavior with Windows 11 devices that receive updates through WSUS and are fully managed via Group Policy. Here’s the scenario: We have a GPO configured as follows: -Configure Automatic Updates → 4 (Auto download and schedule the install) -Scheduled installation every day at 10:00 -Install during automatic maintenance → disabled -Active Hours configured -Turn off auto-restart for updates during active hours → Enabled -Update deadlines set to 0 (to avoid any forced restart) -No other restart-related policies set in the domain Even with this configuration, after updates are installed, Windows 11 shows the following message: “Your organization manages update settings. We will restart and install this update at X minutes.” And then the device automatically restarts, even when: -a user is logged in -it is outside Active Hours -deadlines are disabled -no-auto-restart is enabled This behavior does not happen on Windows 10 — only on Windows 11.
Breaking Certutil changes in WS2025
I noticed yesterday that a certutil command I thought I could always rely on no longer works in Server 2025: >certutil -cainfo xchg CertUtil: -CAInfo command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER) CertUtil: The parameter is incorrect. Executing certutil -cainfo xchg was a handy command which would ask the local certificate authority to output it's current CA Exchange certificate in Base64 format. If the CA didn't have a valid exchange cert at the time, it would immediately create a new one. Think of a CA Exchange certificate as a short-lived TLS cert which the CA provides clients when they need to upload private key material for archival. Anyway, looking at the help for certutil, the command still exists, however, it requires a new parameter: xchg [Index] -- CA exchange cert So, I figured [Index] had to refer to the CA certificate index. When you initially deploy an ADCS certification authority, the CA's initial certificate is at index 0. When you renew/re-key the CA, the new CA cert is at index 1. I tried using 0 for the [Index] parameter. No dice: >certutil -cainfo xchg 0 CertUtil: -CAInfo command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER) CertUtil: The parameter is incorrect. I can't think of what else that parameter would be. Has anyone been able to successfully used this command on WS2025? If so, please share how!Volume Activation role questions
We have a DC, running Server 2016 to decommission (call it old server). One of the roles it had was Volume Activation (VA). This is Active Directory based and the keys AD holds are both for clients (Win11) and servers (2016/19/22/25). I have removed the VA role from the server and tested with a server which I added to the domain and the OS activated successfully, so it looks like it is working. I noticed the _vlmcs SRV DNS record was not deleted and is still pointing to the old server. Since the old server is no longer having the VA role, is it safe to delete the DNS record for the _vlmcs SRV record? What else do I need to take into account? Thanks in advanceActive Directory Restoration in Isolated Environment
Introduction: Active Directory is centralized Database which stores the objects like users, groups, computers, printers, shares, service accounts in an hierarchical structure. It is one of the most critical and important services in IT Infrastructure as it provides centralized authentication and authorization, allows administrators to manage access to resources, enforce security policies etc., Objective \ Purpose: The purpose of this article is to provide detailed steps to recover the entire Active Directory forest from Good Backup taken using native backup "Windows Server Backup" and Backup taken through "Azure VM Backup" in an isolated environment to check the backup working status. This builds the confidence of restoring the AD and bringing to production in case of a disaster like complete loss of Production domain or malware attack or any other attack etc., Environment Background: ----------------------------- In this article, the Active Directory environment is considered to be having Root domain as test.com and Child Domain as child.test.com in Azure Cloud. Operating system used is Windows server 2019 and Windows server 2025. Recovery Approaches: ------------------------- Active Directory can be recovered using many methods, viz., 1. Active directories recycle bin: To restore only the deleted objects, but this option is not suitable for recovering complete AD 2. System State Backup: This helps in restoring Active Directory Database in DSRM mode by marking authoritative or non-authoritative based on requirement. 3. Complete VM Backup: This is the best option to restore complete Domain Controller Building the Isolated Environment in Azure: ------------------------------------------------ 1. Create a separate VNET 2. Subnet for Azure Bastion and Subnet for deploying virtual machine 3. NSG to allow only communication inside the VNET and block other communications Restore Procedure: -------------------------- Restoring the Root Domain DC: 1. Search the domain Controller VM in Azure console 2. Select recover and create new 3. Fill in the details of the isolated environment so that the VM will be re-created 4. Login with domain admin privileges 5. Verify the DNS assigned using IPCONFIG /ALL 6. Change the DNS IP address on network properties to Server IP Address 7. Perform Ipconfig /registerdns so that the IP of new DC will be updated 8. Run Command : Net Share to check SYSVOL and NETLOGON is showing up 9. Boot the system into DSRM Mode by selecting the option in msconfig 10. Once it is booted in DSRM Mode, login using local administrator credential If it is needed to restore the system state of any other date after restoring the complete VM, then using "Windows Server Backup Wizard" choose recover and follow the steps; else skip this step and continue with step 11. >Select Backup Location >Specify the backup source >Select date and time >Select the recovery type as system restore >Recovery options as Original >Review and Confirm 11. Open Command Prompt as administrator and mark all the naming context as authoritative using ntdsutil >ntdsutil >activate instance ntds >authoritative restore >restore subtree "DC=test,DC=com" Repeat the above steps for the other Naming context like "CN=Configuration,DC=test,DC=com", "CN=Schema,CN=Configuration,DC=test,DC=com", "DC=ForestDNSZones,DC=test,DC=com", "DC=DomainDNSZones,DC=test,DC=com" as well. Reboot the server in normal mode and perform the following steps for making sysvol as authoritative: Mark the sysvol as authoritative by changing the msDFSR-Enabled value to 1 >net stop dfsr >Open Active Directory Users and Computers, go to View and enable Advanced Features >Navigate to Domain Controllers -> Your DC -> DFSR-Localsettings -> Domain System Volume >Right-click SYSVOL Subscription, select Properties, and then Attribute Editor >Find msDFSR-Options, click Edit, change the value to 1, and click OK >Run repadmin /syncall /Aed from an elevated command prompt to force replication of the AD changes >Run net start dfsr in an elevated command prompt on the authoritative DC. >Run dfsrdiag /pollad from an elevated command prompt on the authoritative DC Verify the domain controller is holding the FSMO roles if not seize the roles. Steps are as follows: >ntdsutil >Roles >Connections >Connect to Server <Recovered VM> >quit >seize PDC Emulator Repeat the above steps to seize the other roles (Infrastructure, Schema master, RID Master and Domain Naming master) Check the time synchronization by using w32tm /query /source. Now Domain Controller is completely recovered from backup. Check the health of domain controller using DCDIAG Command. Restoring the Child Domain DC: 1. Search the domain Controller VM in Azure console 2. Select recover and create new 3. Fill in the details of the isolated environment so that the VM will be recreated 4. login with domain admin privileges 5. Verify the DNS assigned using IPCONFIG /ALL 6. Change the DNS IP address on network properties to Server IP Address 7. Perform Ipconfig /registerdns so that the IP of new DC will be updated 8. Run Command : Net Share to check SYSVOL and NETLOGON is showing up 9. Boot the system into DSRM Mode by selecting the option in msconfig 10. Once it is booted in DSRM Mode, login using local administrator credential If it is needed to restore the system state of any other date after restoring the complete VM then using "Windows Server Backup Wizard" choose recover and follow the steps; else skip this step and continue with step 11. >Select Backup Location >Specify the backup source >Select date and time >Select the recovery type as system restore >Recovery options as Original >Review and Confirm 11. Open Command Prompt as administrator and mark all the naming context as authoritative using ntdsutil >ntdsutil >activate instance ntds >authoritative restore >restore subtree "DC=Child,DC=test,DC=com" Repeat the above steps for the other Naming context. Reboot the server in normal mode and Perform the following steps for making sysvol as authoritative: Mark the sysvol as authoritative by changing the msDFSR-Enabled value to 1 >net stop dfsr >Open Active Directory Users and Computers, go to View and enable Advanced Features >Navigate to Domain Controllers -> Your DC -> DFSR-Localsettings -> Domain System Volume >Right-click SYSVOL Subscription, select Properties, and then Attribute Editor >Find msDFSR-Options, click Edit, change the value to 1, and click OK >Run repadmin /syncall /Aed from an elevated command prompt to force replication of the AD changes >Run net start dfsr in an elevated command prompt on the authoritative DC. >Run dfsrdiag /pollad from an elevated command prompt on the authoritative DC Verify the domain controller is holding the FSMO roles if not seize the roles. Steps are as follows: >ntdsutil >Roles >Connections >Connect to Server <Recovered VM> >quit >seize PDC Emulator Repeat the above steps to seize the other Domain specific roles (Infrastructure, RID Master) Check the time synchronization by using w32tm /query /source. Verify the DNS Resolution for Root Domain and Child domain from both Root DC and Child DC. Verify the Parent and child trust using AD Trust console and validate the Trust connection. Now Domain Controller is completely recovered from backup. Check the health of domain controller using DCDIAG Command. In case it is planned to move this to Production environment to make these as first root DC and first child DC, then following steps are to be performed to cleanup the stale entries of non-functional DC. >ntdsutil >metadata cleanup >Connections >Connect to server <server> >quit >Select Operation Target >list domains >Select Domain <number> >List Servers in site >Select Server <number> >quit >remove selected server Confirm for removal as 'Yes' Repeat the above cleanup steps in both Root Domain DC and Child Domain DC for the non-functioning domain controller. Verify the Dcdiag, repadmin /showrepl, repadmin /replsummary to check health of Domain controller and replications. This completes the recovery of both Root Domain and Child Domain.Public network on NIC instead of domain network
On a Windows Server 2025 Standard Edition, I have 2 NICs: a 10Gbps NIC and 1Gbps NIC. Both NICs have a static IP address, but only the faster 10Gbps has a default gateway. The faster NIC correctly identifies as the domain network but the slower NIC says it is on a public network. The DNS settings and suffixes are the same for both cards. I have another Windows 2025 server with the same setup but both NICs identify as the domain network. Any ideas on how to fix this? Thanks.Deploying Multiple NPS Servers
I have been working on ditching our password-based WiFi with WPA2-Enterprise. On DC1 I deployed internal CA, NPS, and group policies that auto-request certs and deploy wireless network settings. Cisco AP is pointed to DC1 as the radius server. NPS has been registered in AD and wireless network policy has been created. Test laptops get their cert and connect just fine. It's working. For redundancy, I installed NPS on DC2. This NPS instance has also been registered in AD, and I imported the NPS config from DC1 to DC2 NPS. Cisco AP has DC1 as first radius server and DC2 as second radius server. If I stop NPS on DC1 to force the Cisco AP to authenticate against DC2, test laptops won't authenticate and connect. What am I missing? They're configured exactly the same (except DC1 hosts the CA...I was under the assumption the CA is AD integrated).
