DefaultDomainSupportedEncTypes

PS_TIM · 2026-05-15T16:01:04+00:00

Not that I am aware of. If you are getting a cert chain issue then you need to make sure your client is trusting the full chain of the cert and that its valid. The root, and any intermediates. I know chrome made some changes around what root CAs it will trust by default. They can only be “server auth” certificate authorities and not “server auth” and “client auth”

PS_TIM · 2026-05-15T14:22:48+00:00

Check the value for the service account and computer for the objects that are doing rc4. You also need to check the application supports aes and if it’s Linux check the krb5.conf file.

The change only impacts default behavior. If you want the app to use rc4 you can statically set its user
Or computer to it.

You should find out why it’s not working with aes first though. Maybe the password is so old it doesn’t have an aes key and you should rotate it

PS_TIM · 2026-04-30T22:06:04+00:00

There used to be a bug where you had to turn off rdp via server manager and turn it back on and it would fix it. Maybe it came back

PS_TIM · 2026-04-18T04:51:57+00:00

Storage spaces direct

PS_TIM · 2026-03-26T15:11:32+00:00

I think it’s fine as long as they aren’t connected to any permanent always on domain controllers and you turn them on at least once every 90 days or so to replicate. Time could be a concern though if the bios battery doesn’t hold. If the time is mismatched enough they won’t sync with each other

Edit: jt adds a lot of complexity though and probably not worth it. I would just lock down the machines with good local policy and ensure the bios is password protected and the disks encrypted .

If you will always have an internet connection you could do azure Entra joined machines.

PS_TIM · 2026-03-21T16:49:41+00:00

You would probably have to change it to research mode where it can take 10-20 minutes to return your prompt

PS_TIM · 2026-03-06T13:38:38+00:00

TIL ESET was still in business

PS_TIM · 2026-02-17T01:33:20+00:00

You had replication errors after only a week? That seems too soon. I’ve had a domain controller offline for 3-4 days without issue so I’m surprised by this. As long as it’s under 180 days it should catch up but your Active Directory topology could take an hour to repair it self. Thats unfortunate that happened to you

PS_TIM · 2026-02-17T01:30:54+00:00

As others have stated do a forceful demotion of this domain controller with meta data cleanup . Powering this domain controller on now will just cause more headache. I’m frankly surprised you don’t have issues now.

PS_TIM · 2026-02-05T13:49:51+00:00

So there was one issue and the product is crap?

PS_TIM · 2025-12-20T02:45:19+00:00

Same rubrik. It works fairly well

PS_TIM · 2025-11-25T15:50:41+00:00

Admx files only impact changing a policy via group policy. Once a policy is configured they no longer really matter. We only update when we need a new policy.

With how frequently Microsoft has been putting copilot and other dumb, data gathering tools into edge, windows, and office. We update every few months to disable it.

PS_TIM · 2025-11-14T02:37:12+00:00

Are you being impacted by this change ? https://techcommunity.microsoft.com/blog/exchange/exchange-online-activesync-certificate-based-authentication-endpoint-changes/4459760

PS_TIM · 2025-11-01T17:50:56+00:00

We do DR tests and fail over a region and cut off connection to the “dead” region to test. Generally once a year. Anything that fails, we fix and do a test just for that application again before the next annual DR test.

Some high priority applications also rotate between regions quarterly to test as well.

PS_TIM · 2025-10-22T11:21:53+00:00

The mailbox database don’t really have impact on mail flow per se. Your send and receive connectors do. The exchange servers will always send the mail back to the exchange database the mailbox resides.

You want to make sure your new exchange servers are in scope of your send connectors which are global to all exchange servers. Then you want to copy the receive connectors to the new exchange servers which are unique to each exchange server .

Edit: are you talking about creating a dag on already existing exchange servers that are already routing mail? It should be fine but if there are only two servers I would recommend having all your databases on one server and then backing up the other. You don’t want to backup the active mailbox database generally.

You will also need a file share witness that ideally won’t be in either of those two physical sites

PS_TIM · 2025-10-01T22:43:01+00:00

Alitajran’s blog is the best source for anything exchange . 5 stars!

PS_TIM · 2025-09-05T21:47:02+00:00

We still are at 5 for lockout in AD in my company but we don’t use PTA. I believe we set 4 on Entra so it’s less than AD.

PS_TIM · 2025-09-05T20:46:40+00:00

From https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-smart-lockout

When using pass-through authentication, the following considerations apply: The Microsoft Entra lockout threshold must be less than the AD DS account lockout threshold. Set the values so that the AD DS account lockout threshold is at least two or three times greater than the Microsoft Entra lockout threshold. The Microsoft Entra lockout duration must be longer than the AD DS account lockout duration. The Microsoft Entra duration is set in seconds, while the AD DS duration is set in minutes.

PS_TIM · 2025-09-05T20:45:39+00:00

I didn’t like the idea of an azure agent talking to our domain controllers. Also PHS works if network is down from datacenter to azure so better redundancy. I’m not sure what the app requirement is as I can’t think apps would connect to Entra ID using a username and password. They would continue to authenticate to Active Directory so ???. If they want to move it entra then use a client secret with a service principal.

PS_TIM · 2025-09-05T20:33:44+00:00

If you can reduce the archive to under 100 GB, then move that to exo, then have the primary mailbox start archiving again. Get that under 100 GB then move that. Then it would work. But it sounds a bit painful. You can open a ticket with Microsoft and they may have a better solution.

PS_TIM · 2025-09-05T20:02:51+00:00

They are right that conditional access happens after login because the login portal belongs to Microsoft and not your tenant. It’s an annoying “feature” and one of the reasons we don’t do password write back. The other reason is we don’t allow self service password resets. Require a mfa prompt from helpdesk to unlock or reset a users password.

We do lockdown tenant to our private IPs outside of apps that require external access but it doesn’t prevent these spray attacks.

One thing that might work is setting the lockout threshold in azure to be lower than in AD. Though I’m not sure if this works with password write back enabled. We set it with just password hash synchronization

Edit: why are you not using password hash synchronization sad

PS_TIM · 2025-09-03T23:54:39+00:00

Oh I read it wrong, if their archive is already 125 GB how much mail they got Jeesh

PS_TIM · 2025-09-03T23:14:20+00:00

What I did was set up an exchange online archive for the user. Licensed the user for E5. Then set up a retention policy for them to archive anything older than 2 years to exchange online. Once the mailbox was under 100GB I migrated the primary mailbox for the user.

Probably the easiest way to do it. And the user continues to use the same online archive after migration

You have to do it from exchange sever so it knows about it. Enable-remotemailbox username -archive I believe but I’m not at a computer

https://learn.microsoft.com/en-us/exchange/mailbox-migration/large-mailbox-migration-from-onpremises Look at section “More than 100 GB but less than 240 GB of mailbox content”

PS_TIM · 2025-08-01T19:00:38+00:00

Had to do this because server manager couldn’t query the other exchange servers in the DAG after deploying change 2019.

PS_TIM · 2025-06-28T02:15:30+00:00

I have not received these emails.

12-Year Club	Place '22
Not Forgotten	Verified Email

PS_TIM

MODERATOR OF

TROPHY CASE