@syko24 said in Move FSMO Roles Using PowerShell | Active Directory Domain Controller AD DC:

I'm a fan of the one liner assuming you are transferring all roles to the same DC.

Move-ADDirectoryServerOperationMasterRole -Identity "DC-Server" -OperationMasterRole 0,1,2,3,4 0: PDCEmulator 1: RIDMaster 2: InfrastructureMaster 3: SchemaMaster 4: DomainNamingMaster

Me too. This is what I normally use. SOOOO helpful.

Not sure why powershell made it so complicated to find who has the roles.
netdom query fsmo was so easy.

@stacksofplates said in sssd and user ID mapping:

@Pete-S said in sssd and user ID mapping:

@Semicolon said in sssd and user ID mapping:

@Pete-S If it is an issue, its trival enough to prevent public key authentication for users or groups of users, even groups of AD users.

Sure, but the problem for developers and admins is that they usually need their keys. That's why I don't think ad/ldap integration with ssh users really works in that use case.

The other solution, which is what I think is more suitable for developers and admins, is to use your SSO/AD solution with MFA to pickup a short-lived ssh certificate. Then you use the ssh certificate to actually access things.
Many companies with huge infrastructures use this method because it's very scalable.

We forced kerberos for SSH auth after wen enabled AD integration. SSH works like keys then but you don't use the keys.

Never used it but it seems to be a good solution if you want AD integration.

I noticed that gitlab also supports kerberos for pushing and pulling. I assume github does too. That's very convenient.

We find that if we rename the PC, then allow more than a day to go by before restarting, this can happen.

Also, if we rename a PC, then the user allows the PC to go into Lock mode (screen saver timeout with login required to return) they will encounter this upon wake up/re-logon.

In the above two cases a reboot usually resolves it, when it doesn't, we go in as local admin and disjoin then rejoin the domain to resolve it.

Also, in the above two cases, we did not lose the computer in active directory, so after the disjoin/rejoin you'd want to remove the orphan computer from AD.

There's an article online somewhere about why you should NOT disjoin and rejoin the domain in this case, but we have always done it this way and have never experienced ill effects.

@Fredtx said in Multiple Tombstoned DC's:

@JaredBusch said in Multiple Tombstoned DC's:

Mesh of multiple locations like you have is simply asking for crypto to hit all the things.

Exactly what I've been telling them.

VPNs and AD the same. The mesh "should" not pose any threat because there should be nothing exposed over the mesh. But given the rest of the design, we can safely assume there are security holes everywhere and they are just trying to open more.

These are the flags that hackers look for for finding easy targets.

@oksana said in Changes to Kerberos and Azure Active Directory Authentication:

Kerberos is an authentication protocol that has been around since Windows Server 2000.

That should read: Kerberos is an authentication protocol that was introduced to Windows in Server 2000.

It was around for a long time before then: https://en.wikipedia.org/wiki/Kerberos_(protocol)

@dashrender said in Computer Name Issue: Domain Joined:

@scottalanmiller said in Computer Name Issue: Domain Joined:

@dashrender said in Computer Name Issue: Domain Joined:

@gjacobse Weird is right.

the closest I've seen is when 'nix boxes get a DHCP - they send this number that is some form of extended MAC as the hardware ID.

Interested to hear what you find out.

DHCP seems reasonable. Or there was a conflict.

in my case it's something in the way many Linux's now work. This thread talks about it.
https://community.spiceworks.com/topic/2288212-strange-extra-long-linux-mac-address-in-dhcp-active-leases

Not clicking the link, but it is the last 4 sets of the MAC address and the machine id as noted in /etc/machine-id. It is part of the DHCP RFC.

@scottalanmiller said in Active Directory Domain name:

@stacksofplates said in Active Directory Domain name:

@dbeato said in Active Directory Domain name:

@scottalanmiller said in Active Directory Domain name:

used that way. No certificate maker should ever have included it (and I've never heard of that as it would always indicate a scam CA as you cannot own that domain by definition).

The Majority if not all did add the .local, .lan and others, unless you think all CA are scams then I wouldn't say they are a scam.

Yeah from a quick search looks like at least GoDaddy and Digicert offered them.

Nov 2015 is when CA/Browser Forum set the standard to not allow internal domains. So looks like most if not all would have supported it before that.

https://cabforum.org/internal-names/

Damn, that's a major security hole! So I could go get a cert issued for a domain someone else used and there had to be zero verification since.... there was nothing to verify!

Yup.

@irj said in ADUC Set Password Expiry:

@gjacobse said in ADUC Set Password Expiry:

@irj said in ADUC Set Password Expiry:

You gotta teach good culture

Good Luck

Sometimes people have to be inconvenienced for security

Don't disagree - but can't stop doing business either.

Managing all these exceptions is an operational nightmare that will create a load of technical debt.

No lie - and no argument there. But resetting the expiry date/time doesn't seem all that different than resetting any password. few clicks and poof.

I can understand your point, but some responsibility for security must fall on the user. Management of course has to buy in on this and/or give full control of IT policies to a CISO/IT manager/generalist (depending on size of business).

Again - no disagreement. Barring this - being able to set a date for the password to expire that isn't to far out of policy seems better and more ideal than some of the options.

@dbeato said in You Have Exceeded the Maximum Number of Computer Accounts - Windows and Active Directory:

@scottalanmiller This is for a standard user without any Domain Admin Privileges. I am assuming this is for a Technician joining computers that no one wants to have admin permissions.

That would be an example case. Yes.

@JaredBusch said in Using non MS DHCP in MS AD:

Setup the way I show, Windows DNS still gets updated form workstations.

03b94431-bd00-4eb2-ad58-a26eb0814fd0-image.png

Good to know Windows is doing what it's supposed to do!

Thanks Jared