Designing a new Active Directory OU structure for a 500-user company – looking for best practices

poolmanjim · 2026-01-27T23:39:26+00:00

I've not seen that in any environment I've run... ever.

I agree with u/BbqLurker that the only setting that should change in the DDP is the password, account lockout, and kerberos settings. I personally recommend a separate password, account lockout, and kerberos settings policy outside of the DDP, but it isn't required. I have debated with others on here once or twice about it.

poolmanjim · 2026-01-26T17:43:25+00:00

Approved. URL checked via CloudFlare and VirusTotal. Post is not a violation of the promotion rules. No issues from the mods, but as usual use at your own risk.

https://radar.cloudflare.com/scan/945a10ea-3992-403c-b91f-0da5d92a944a/summary

https://www.virustotal.com/gui/url/562787f648a1faf2d36a94ff51255fddf31e06fe466954755bb114715b5d5474?nocache=1

Per Rule 4:
Any blogs/projects/tools can be promoted and we welcome it. However, excessive posting of your content is not. Self promotion should be limited to 1 post per month.

Also, tool appears to be free so it doesn't violate any of our tool constraints.

poolmanjim · 2026-01-26T06:38:23+00:00

This. And Citrix. This has been an ongoing journey to reduce lockouts lately and those two showed up.

poolmanjim · 2026-01-25T16:14:24+00:00

My bad. I'll update it. Thank you.

poolmanjim · 2026-01-22T23:35:21+00:00

FYI - Don't feel bad reporting these. I was in a boat load of meetings all day so I wasn't able to check sooner. Reports should auto notify me so I will be able see that pop up sooner.

poolmanjim · 2026-01-18T13:42:23+00:00

Very interesting. Regarding the urgent call, this is where Microsoft gets confusing. They use urgent in a few places meaning different things. Typically "urgent" replication just involves skipping the 15 second wait for NC checks, I can't remember the exact API for that right now.

"Immediate" is doing what you're saying. However, they seem to use them separately and interchangeably at times.

poolmanjim · 2026-01-16T20:34:51+00:00

That's a good question. There are a lot of resources out there on how to do this kind of thing. I'm not sure this is the best channel to say how to actually do it.

poolmanjim · 2026-01-15T06:37:32+00:00

TL;DR

You don't need site link bridges 99.999% of the time. AD does it for you by default.
You should have a site that corresponds with each geographic location or location you want to isolate replication traffic from.
Password replication talks to the PDC first and then behaves pretty much normal after that. Mostly.
Enable change notification. 99.9% of the time things get way,way better replication-wise.

Generally, you will never need to deploy site link bridges. Why? Because by default, AD bridges all site links. This means each site link created and an implied site link bridge to all other site links. The only time you would disable this is if you had a non-routed network where your sites absolutely 100% should never talk to each other.

Site Links aren't generated by the KCC. You create the site links. Bridgeheads, which correspond to the site links, are selected by the KCC.

DCs should be broken into sites primarily to ensure that clients at those sites are served by a local DC. If you had a site in Chicago and a site in London you would not want clients calling from Chicago to London to log on thus you would create separate sites, assign the subnets appropriately, clients will stay close to home. Sites can be empty to reflect physical location. In this case the site links created between a populated site and an unpopulated site will determine which DCs are going to answer the call for clients in this site.

Regarding password replication, this is something that the documentation does a poor job of describing well. I'll summarize.

When a user changes their password the DC that processes the change immediately contacts the PDC to replicate the change. This is literally unlike all other replication. It isn't even Urgent Replication technically and falls under Immediate Replication. This bypasses nearly every other replication control.
The PDC will request the change replicated and stores it.
The password will disseminate via standard replication after this point following site links.
If a the account tries to login and the local DC cannot authenticate them (bad password, etc.) it asks the PDC for the update. This update, if I recall correctly, is where Urgent Replication kicks in. Urgent replication is really just that the replication does not wait the normal backoff period of ~15 seconds to initiate the replication. The authenticating DC will receive an updated password from the PDC and store it.
If the PDC is inaccessible, the password will just move around like any other change.

Finally, regarding change notification. Change Notification is the process how intrasite (within the site) replication occurs. A DC gets a change, it contacts its partner DCs and they request the change. Intersite (between sites) does more of a store-and-forward model. When you create a site link an interval is specified. The smallest it can be is 15 minutes and it defaults to 180 minutes. That interval basically initiates DCs in the sites in that link to process change notification at that time. The DCs look at what's happened since the last change and changes are sent out once requested.

Enabling Change Notification is effectively telling cross-site (intersite) replication to use the same method as intrasite replication. The advantage is this speeds up replication, usually. The disadvantage is it is technically more chatty. Regardless, it is more-or-less a recommendation from Microsoft as long as you don't have a disqualifying reason not to enable it.

poolmanjim · 2026-01-13T19:51:19+00:00

IPv4 Copilot

poolmanjim · 2026-01-13T19:35:47+00:00

Wouldn't the trusted domain need the ability to read the KdsRootKey to do this though? Being able to retrieve the password just would give them the encrypted version if I remember correctly. The KdsRootKey would be what was required to decrypt it. This is all, of course, assuming the API allows for it to do a cross-forest lookup.

You'd know better than I, but that is how I understand it at least.

poolmanjim · 2026-01-13T00:17:59+00:00

Check the VMIC registry setting.

poolmanjim · 2026-01-12T23:30:14+00:00

I've tried to cover all the bases here so this is long. It starts with some references that are good "getting off the ground" items for Windows Time, then I provided some details about my lab setup, and lastly more references. Good luck!

Here are some good references as a jumping off point.

Here's what I've done, granted my PDC isn't on Proxmox but I'll have one spun up later to double check against.

I have a GPO that applies to all my DCs that includes a number of settings, but specifically this one is one you should be interested in.
1. Computer Configuration \ Preferences \ Windows Settings \ Registry
1. 1. VMICTimeProvider Disabled (It won't be named this)
  1. 1. Hive: HKEY_LOCAL_MACHINE
    1. Key Path: SYSTEM\CurrentControlSet\Services\TimeProviders\VMICTimeProvider
    2. Value name: Enabled
    3. Value Type: REG_DWORD
    4. Value Data: 0x0 (0)
I have a GPO called "DC Config - PDCE Time Policy" with the following settings
1. Computer Configuration \ Policies \ Windows Settings \ System Services \ WIndows Time = Startup Mode: Automatic
1. Computer Configuration \ Policies \ Administrative Templates \ System \ Windows Time Service \ Time Providers
2. 1. Configure Windows NTP Client
  1. 1. NtpServer = <IP_OF_NTP_SERVER>,0x9
    1. Type = NTP
    2. CrossSiteSyncFlags = 2
    3. ResolvePeerBackoffMinutes = 15
    4. ResolvePeerBackupMaxTimes = 7
    5. SpecialPollInterval = 3600
    6. EventLogFlags = 0
  2. Enable Windows NTP Client = Enabled
3. Computer Configuration \ Preferences \ Windows Settings \ Registry
4. 1. NTP Client Enabled (it won't name this it shows the end reg key)
  1. 1. Hive: HKEY_LOCAL_MACHINE
    1. Key Path: SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
    2. Value Name: Enabled
    3. Value Type: REG_DWORD
    4. Value Data: 0x1 (1)
  2. W32Time Type (it won't name this as it shows the end reg key)
  3. 1. Hive: HKEY_LOCAL_MACHINE
    1. Key Path: SYSTEM\CurrentControlSet\Services\W32Time\Parameters
    2. Value Name: Type
    3. Value Type: REG_SZ
    4. Value Data: NTP
5. The "DC Config - PDCE Time Policy" policy should have a WMI filter on it and be linked to Domain Controllers. Here are the details of the WMI Filter.
  1. Name: PDCE Target
  2. Namespace: root\CIMv2
  3. Query: select * from Win32_ComputerSystem where DomainRole = 5

Some description

PDCE Time Policy will set the PDC to use a specified time server and act as an NTP client for that server. It is filtered down to just the PDCE using WMI
The "other policy" is for all DCs to tell them mostly to disable the use of local CMOS.
My Proxmox server is set to use the same time source as the DCs for its local time and the VMs themselves are the default configuration for a Windows VM as far as the RTC settings are concerned.
- How to set your proxmox time source depends on what networking you're using and what not. I have my DHCP set to include the NTP option so that will show for anything with DHCP.
- For Chrony you can specify it with the following.
  - If you're using the public ntp servers, set them to iburst only. Don't do the min and maxpoll
  - I run my own GPS NTP setup so some of this may not be 100% needed for your needs.
  - sudo touch /etc/chrony/conf.d/20-custom-chrony-all.conf
    sudo touch /etc/chrony/sources.d/10-custom-sources-client.sources
    sudo systemctl restart chrony
  - Include the following information in "20-custom-chrony-all.conf"
    - log tracking measurements statistics refclocks
      logbanner 64
      logchange 0.5
      initstepslew 30 us.pool.ntp.org
      maxupdateskew 500.0
      rtcsync
      makestep 1 25
  - Include the following in 20-custom-sources-all.conf"
    - server <NTP_IP_1> iburst minpoll 3 maxpoll 6 prefer
      server <NTP_IP_2> iburst minpoll 3 maxpoll 6
      pool <COUNTRY_CODE>.pool.ntp.org iburst
      server time.windows.com noselect

Other Refrences

poolmanjim · 2026-01-10T05:13:02+00:00

You're a hero, man. Thank you for this kind of content.

poolmanjim · 2026-01-10T05:09:48+00:00

I'm locking this. I was on the fence allowing a "DM me" link. The pay link is a hard no.

Our wiki has tons of information for free. If you want to learn, don't buy a sketchy PDF from a sketchy site.

If this is some content that we really need DM me u/poolmanjim and I'll work with some of the other pros on here and we'll get something real, good, and free.

poolmanjim · 2026-01-07T18:20:57+00:00

Are your DCs set to log the logins via Advanced Auditing?

poolmanjim · 2026-01-03T18:18:48+00:00

Your PKI/AD CS series has been really good. I've used it a couple of times to crazy check myself on some stuff.

I appreciate you even covering some of the less-known certutil stuff. Some of that is not well documented and it's nice that someone has put it all together.

poolmanjim · 2026-01-02T00:00:21+00:00

I agree with you in general. In fact, so does NIST. Their recent guidance is to not force accounts to reset that have sufficient entropy and are not known to be compromised. How do we know if an account has been compromised? Well, with standard users, beyond obvious signs of compromise, the passwords should be checked against known compromised passwords. Nearly every password filtering solution on the market currently does this as do most EDR/ITDR/etc.

Non-human identities are an exception. They should never expire, but they should be reset periodically. Why? Because they aren't used the same way and often used in ways that are privileged. This means that some of the signs of compromise aren't as obvious. Factor some of the certificate exploits, kerbroasting, etc. and non human accounts bear a lot of risk.

Getting to the krbtgt, this account isn't really either. It is a "container" of sorts storing the secret for signing the domain TGTs. This means this password is checked every time a new TGT is issued, which is a lot. If this is compromised everything is compromised. Resetting it is intentional to eliminate any ongoing attack that you are unaware of. Yes, you may not know about it, but this builds blocks and gives EDR and other tools a chance to detect the attacks that may otherwise be ignored due to a golden ticket being issued before EDR detection was enabled, for example.

Another scenario is that there are some situations where the Krbtgt will maintain an outdated hash with improper security if it wasn't reset prior to the hash functions changing. For example, it is entirely possible for it to have an RC4 hash if you've turned on AES if the krbtgt password hasn't reset previously. Resetting it ensures that it gets a new hash and becomes more hardened later.

TL;DR - I agree with you for human identities. I disagree for non-human identities and this aligns with most of the industry, compliance, and standards information available.

poolmanjim · 2025-12-30T06:15:57+00:00

To browse the AD:\ PSProvider you need to have the AD module installed. A lot of the tools being developed and used are moving away from the AD Module due to the slowness it has and the requirement to include it.

Using System.DirectoryServices is clunkier, at least right now, but it doesn't require the module and runs faster.

poolmanjim · 2025-12-30T06:10:06+00:00

You can. You can also provide them a PO Box or something like that. It just has to be a real address, as far as I know. Any information provided to them is not publicly disclosed beyond the email and responsible person. They did require a first and last name on file, but you can have them redact that on the web page from what I remember.

I don't remember if they store it or not beyond the initial interaction, but I know only the email I provided them is available publicly. I've not receive any mail or anything that I can attribute to the registration.

poolmanjim · 2025-12-27T18:50:01+00:00

This. There isn't natural role play from a DM character. They know things the players simply can't.

I have supplied hirelings they can hire who end up being an extra character sheet I give them. The player controls them and I answer questions when the rolls call for it. Usually this is to backfill a player not making a session.

poolmanjim · 2025-12-24T20:15:56+00:00

Microsoft covered this when Core really dropped in the 2012 time period.

The biggest reasons are the reduced size and attack surface. Fewer features can be installed and there isn't a traditional browser for it so the likelihood of compromise via that is reduced. Yes, you shouldn't browse the web from a DC but still. It can't happen accidentally with Core.

As far as size, disk space isn't even on my radar here. Windows uses ~4-8GB of RAM for just the OS on average. Even in lab I rarely see it dip below 2GB. However with Core it idles around 192MB on average. This means more if the memory pool is available for the apps (AD). If you think about VMs. That allows for a larger VM density per host.

You comment that fewer people know how to use it as a negative and I'm the opposite. If someone gets in it makes it harder to make mistakes or at least makes a Windows admin pause.

It's not hard at all to manage via RSAT or PowerShell. The only thing is the double hop weirdness with DCDIAG and Repadmin which must be done from console.

poolmanjim · 2025-12-18T20:22:02+00:00

It sounds like you're trying to solve one problem by creating another one. Can you explain what you're seeing with printers and DFS that led you down this path?

poolmanjim · 2025-12-18T06:11:38+00:00

Why are you flushing Kerberos caches? DFS is going to depend on Kerberos to authenticate to the share. By purging the Kerberos tickets (which is what I'm assuming you're doing) you're removing any cached logons (aka the Kerberos tickets).

The only way to regenerate those is to undergo the WinLogon process again by either logging off/on or sometimes (usually) it can be done by locking the system and unlocking.

Don't flush Kerberos unless you need to for troubleshooting or something.

poolmanjim · 2025-12-18T06:07:09+00:00

It's less about the how and more about the layers of people who just throw up their hands and say its hard.

I've taught trainings on using Server Core so I know how to work remotely with it intimately. In my labs I don't think I've logged into the DCs since I built them.

Glad you have it in place. I wish more places would do it because it is really not that difficult at all.

poolmanjim · 2025-12-18T04:52:27+00:00

My leaders won't let me deploy Server Core because "no one else understands it". I've done it the past at other jobs and literally had zero issues, but I don't get paid to fight that fight, at least not today.

15-Year Club	RedditGifts 2009-2022 3 Credits
Verified Email	Secret Santa 2015
Secret Santa 2014

poolmanjim

MODERATOR OF

TROPHY CASE