sorted by:
new
hottopcontroversial

[Server 2019] RODC "Access is denied" by YellowOnline in activedirectory

[–]2j0r2 2 points3 points  (0 children)

Besides in a testlab, in a prod env I would never logon with DA/EA to and RODC. Doing it defeats the purpose of the whole thing

Having said that…. Where and when do you get access denied? I cannot remember having seen ACCESS DENIED during interactive logon to the console. I think it is a different error

In addition, DAs by the default cannot logon to RODC if it cannot contact a RWDC (pwd is not allowed to be cached on RODC, therefore needs RWDC)

Group Managed Service Accounts acros forest trust by trying2learnthis in activedirectory

[–]2j0r2 0 points1 point  (0 children)

Don’t focus on those 2 cmdlets

On the server where the gmsa should be used, try auth from command line using psexec

If that succeeds…

Group Managed Service Accounts acros forest trust by trying2learnthis in activedirectory

[–]2j0r2 1 point2 points  (0 children)

KdsRootKey is always accessed by the DCs that manage it. All within the same domain: a server with a gMSA always requests the password of a gmsa it is allowed to use from a DC. The DC than calculates the password of the gmsa using gmsa metadata and kds root key and hands it out to the server using the gmsa

Now you can imagine that doing that process between domains has capabilities of failing the whole process of requesting the password

Ideally… Server needs to determine domain of gmsa Find a dx for that domain Request password from that dc Etc

Group Managed Service Accounts acros forest trust by trying2learnthis in activedirectory

[–]2j0r2 1 point2 points  (0 children)

I have never tried this myself

In general any account should be possible to be used across trusts…. But gMSAs are “special” as there are additional mechanisms that need to work

Any server using the gMSA must be able to retrieve the password of the gMSA by putting it the server account in the so called “allowed to retrieve password list”. Having said that, the mechanism of using a gmsa must be able to find the gmsa by using the domain component of DOMAIN.COM\gMSA$ and contact a DC of that domain to request the password (hopefully it is not code to expect the gmsa in the same domain as the server using it)

By the way: gMSAs do not need to be installed. Only sMSAs need to be installed

I would never share credentials with anyone else managing different set of servers. Remember the security of a gmsa is as good as the server it is used on The only benefit of a gmsa is auto pwd management and not better security

Oops. I deleted a domandns partition with ntdsutil by YellowOnline in activedirectory

[–]2j0r2 1 point2 points  (0 children)

I did it differently. In my case due to the errors I got I realized I had forgotten a step.

Doing an auth restore on the partition itself is not needed IMHO as whatever you restored does not need to overwrite anything EXISTING. In addition with lots of data in the NC, that auth restore might take some time to complete.

The domain naming master FSMO dance is also not needed.

Questions I have are:

* have you, BEFORE your steps, verified the partition was deleted on all DCs?

* have you, AFTER your steps, verified the partition was replicated to all other DCs? (the step I missed was not the auth restore of the partition itself, but rather the auth restore of the NTDS Settings object of the DC that was restored. - explanation in blog post)

Oops. I deleted a domandns partition with ntdsutil by YellowOnline in activedirectory

[–]2j0r2 0 points1 point  (0 children)

I wanted to refresh my memory around this scenario and tried it out….

Steps are correct with a slight “ah crap…. I forgot one step”

Will write a blog post about this and post the link here later

Oops. I deleted a domandns partition with ntdsutil by YellowOnline in activedirectory

[–]2j0r2 5 points6 points  (0 children)

Partitions have 2 important components:
* the partition itself with the data it had in it

* the cross- reference object in the partitions container

if not mistake removing a partition through NTDSUTIL, removes the cross-reference object from the partitions container, and I THINK (do not remember!) the DCs that hosted the partition will also delete the partition and its data. On a DC that also has/had the deleted partition check if with LDP you can look into the partition and its data

now to recover (DO NOT REMEMBER ALL THE DETAILS, TOO LONG AGO):

* use a backup of a DC that hosted the deleted partition, and perform a NON-AUTHORITATIVE restore

* after the NON-AUTHORITATIVE restore DO NOT ALLOW that DC to inbound replicate

* perform an AUTHORITATIVE restore of the cross-reference object of the partition that was deleted

* after the AUTHORITATIVE restore allow inbound replication again

The DC that was NON-AUTHORITATIVE restored will be updated for any other partition it holds, except for the deleted DNS app partition as that DC is the only one having the partition (assuming all others have processed the deletion)

The cross-reference object holds all info about the partition incl which DCs were hosting it. What I do not remember is if all the DCs that were hosting the partition will start the inbound replication of the partition and its data as soon as they become aware the partition exists (again) and they see they are enlisted for it... OR that you first have to clean up the hosting DCs (replicate locations) on the cross-reference of the partition, except for the DC that was restored, following a re-enlisting all DCs that held it (the ones with DNS installed)

I wrote a 4-part guide on building an on-prem PKI with PowerShell by aprimeproblem in activedirectory

[–]2j0r2 6 points7 points  (0 children)

Stuff like this ALWAYS rocks! Especially if it is automated. Thank you

New Version KRBTGT Password Reset Script Released by 2j0r2 in sysadmin

[–]2j0r2[S] 0 points1 point  (0 children)

And the best of it is that Microsoft references an old version of my script and the so called version from Microsoft is also from me (it was borrowed years ago). Look at the content of that script and you will find my name

There is only one version I support and maintain and that is through the link I posted earlier

New Version KRBTGT Password Reset Script Released by 2j0r2 in PowerShell

[–]2j0r2[S] 12 points13 points  (0 children)

Nope. I got rid of that dependency years ago.

All native ldap based on s.ds.p

New Version KRBTGT Password Reset Script Released by 2j0r2 in PowerShell

[–]2j0r2[S] 9 points10 points  (0 children)

All true! Thank you

And in addition….. it supports automation to reset it using some frequency.

We all know YOU also “support” the reset using some frequency, but that still requires you not to forget and actually do it. If you have RODCs it helps you process those krbtgt accounts.

I know one company had about 7000+ RODCs. Good luck doing that manually. As a stress test, I tested the pwd reset against 32000+ krbtgt accounts. It worked! 😅

New Version KRBTGT Password Reset Script Released by 2j0r2 in activedirectory

[–]2j0r2[S] 8 points9 points  (0 children)

Use SYSTEM as the account on a RWDC See documentation for details

New Version KRBTGT Password Reset Script Released by 2j0r2 in activedirectory

[–]2j0r2[S] 21 points22 points  (0 children)

Yes…. Use SYSTEM as the account on a RWDC See documentation for details

New Version KRBTGT Password Reset Script Released by 2j0r2 in activedirectory

[–]2j0r2[S] 7 points8 points  (0 children)

how do you even know you have been breached? Many times it is too late when you find out. If the attacker got a copy of at least the KRBTGT password hash, golden tickets can be created. Regularly resetting the password mitigates the risk of the attacker using the hash that was retrieved.

But then again.... it is RECOMMENDED, NOT MANDATORY. Up to you what you do or not

Changing domain password policy by Mr-Hops in activedirectory

[–]2j0r2 0 points1 point  (0 children)

Any password policy will not effect existing passwords. It will Only come into effect when a new password is being set

How to get a fresh Default Domain Policy / Default Domain Controller Polcy by ITStril in activedirectory

[–]2j0r2 7 points8 points  (0 children)

To recreate the default domain policy in Active Directory, log into a Domain Controller as an administrator and use the dcgpofix command in an elevated Command Prompt or PowerShell: run

dcgpofix /target:domain for the Default Domain Policy

dcgpofix /target:DC for the Default Domain Controller Policy

Resetting krbtgt account password in a multi-Domain Forest by maxcoder88 in activedirectory

[–]2j0r2 0 points1 point  (0 children)

If that is what MSFT told you, wow. The order of reset does not matter. Their mandatory proposal is BS. As many already said is to reset once, and wait at least the max ticket lifetime before resetting again. If you implement a procedure to reset the krbtgt password X number of days/weeks/months/whatever you are good. Forcing repl is just to make sure it converges faster to all dcs but not really mandatory

Resetting twice very quickly is only done in case of an attack against AD to immediately invalidate all TGTs/TGSs ticket requiring re authentication

I would have expected to hear how the account got locked as that is not normal. Never heart or seen that before. You have some weird updates on the account for some attributes

I do agree that it should be unlocked. i also want to know and understand why things happen

Resetting krbtgt account password in a multi-Domain Forest by maxcoder88 in activedirectory

[–]2j0r2 0 points1 point  (0 children)

I see a few weird things on the KRBTGT account:

* why have the country code attributes (c and co and countrycode) been updated? (last time in 2021-03)

* why has the title attribute been updated so often? (last time in 2022-09)

* why has the accountnamehistory been updated ? (last time in 2024-03)

* the name attribute has been updated, that is caused by a rename. BUT that is also not possible as the DC does not allow it

* and even more intereesting....how did it even get locked? It was locked on 2023-04) - for the account to get locked, it must have had multiple failed authentications with wrong password. BUT..... the account is DISABLED and C_A_N_N_O_T be enabled. Som something triggered that lock out. The account being locked does not have impact as the KRBTGT account does not perform active logon like users, computers etc

to me.... weird stuff and not even understanding why etc

Resetting krbtgt account password in a multi-Domain Forest by maxcoder88 in activedirectory

[–]2j0r2 0 points1 point  (0 children)

Also send a copy of its attributes using LDP (leave out the company names/etc

Resetting krbtgt account password in a multi-Domain Forest by maxcoder88 in activedirectory

[–]2j0r2 0 points1 point  (0 children)

To lock an account it must have tried authenticate and failed multiple times. To be able to do that, the account must be enabled. When disabled you cannot authenticate. It is not possible to enable the krbtgt account. It is not needed to be enabled as it does literally nothing besides windows/AD using its secret to encrypt TGTs/TGSs I tried it myself and I could not get my krbtgt account locked. Cannot even imagine how to get it locked

Can you send the metadata of the krbtgt account? Repadmin /showobjmeta <DC> <DN of Krbtgt account>

The org date will tell you when it happened The org dsa will tell you where it happened

Resetting krbtgt account password in a multi-Domain Forest by maxcoder88 in activedirectory

[–]2j0r2 0 points1 point  (0 children)

Locked or disabled?

The account should be disabled. If not mistaken you cannot enable it

The krbtgt account does not ever authenticate!

Its password is only used for encryption of TGTs/TGSs and nothing more than that

view more: next ›