Active Directory


Moving Active Directory database related files to another location

Here’s your problem for the day: your active directory files are on the system drive, perhaps because you inherited some Active Directory domain controllers, perhaps because a junior Windows system administrator did the DCPromo… You’re a professional Windows system administrator and you want to have them located elsewhere, say D: […]


Windows Domain Controller Certificate template for LDAPS, Strong KDC, etc.

To perform LDAPS with Domain Controllers, you must install a certificate into the personal store of the computer account. If you are using Windows Enterprise CAs, it is no problem, as a dedicated template used to exist for a while. For 3rd-party CAs, until Windows 2003, the requirements the certificate […]


How to have a member server stick to one specific domain controller?

In case of troubleshooting or temporary issue, you may want to be sure that a given member server always authenticate against one specific domain controller. For this, you may want to combine two tools: The “time-to-live” (TTL) value for the validity of the discovered domain controller The ability to specifically […]


Useful hotfixes for your Windows 2008 R2 Servers and Domain Controllers

In addition to the monthly security patches from Microsoft, some hotfixes are worth to apply on Windows 2008 R2 servers and in particular on Domain Controllers. First of all, there’s the enterprise rollup package which is available in the Microsoft Catalog but is not available to Update Services by default. […]


Quickly moving FSMO around Domain Controllers with Powershell AD Cmdlets

Of course, Microsoft provides us with a cmdlet to move FSMO roles between Domain Controllers… But as often, this doesn’t seem to be designed by people who use it. First, the name of the cmdlet is lengthy: Move-ADDirectoryServerOperationMasterRole Second, you must indicate every FSMO role you want to move amongst […]


Getting all domain controllers in a forest 1

Using something like Get-ADDomainController -Forest would be something too easy for module designers at Microsoft. Or does Microsoft no longer have multi-domain forests in its internal IT? Never mind, here is a nice snippet to retrieve that you may want to adapt to the fields you need to retrieve

[…]