Active Directory Things

Microsoft have issued a 'consider disabling this service' recommendation which affects Active Directory: "We're advising all enterprise customers who have deployed Windows Server OS (Windows Server 2016, Windows Server 2019, Windows Server 2022, and all intermediate releases therein) either as standalone machines or as part of ADDS to evaluate disabling the STS feature on those machines. This recommendation to disable STS applies even if you have never faced any prior issues with the STS feature." https://t.co/NqyZFGXtAj

Here's a quirky (but sensible) one to be aware of for troubleshooting in-house apps that use AD: With AD on server 2025 the default is to only allow LDAP to add, search, and modify operations that involve confidential attributes WHEN THE CONNECTION IS ENCRYPTED. More changes here: https://t.co/F6kD4iOumZ

We know that "ipconfig /displaydns" can be used to inspect the DNS cache on a windows client It's especially useful for AD troubleshooting though. Example: we can understand why a client might still be talking to a DC that was moved to a new site. You can see that this guy was looking for _ldap in Sydney but that server now resides in LA; the cached entry just hasn't expired.

OPINION + METHODS: ACTIVE DIRECTORY MIGRATION+ CHECKLISTS! ON PAPER! Prepping for a cut-over is never complete ... at least it seems that way. We have extensive migration check lists that we've built since my BackOffice Small Business Server (NT 4/4.5) days. Yeah, things have changed, but keeping meticulous change logs/notes is particularly important to a 100% successful migration so we continue to do so. Our checklists and their notes get scanned into a PDF file with an OCR process to make sure they are searchable. The checklist forms are built with Excel and reside in SharePoint with versioning enabled plus a required check-out and then check-in. Our SharePoint instance has been configured to search inside .PDF files. The migration processes are mostly in PowerShell. We use VS Code to manage that repository along with Git on-premises to keep track. How we set up VS Code and Git: https://t.co/k5LlR0TsKA Once our client has signed-off on the work completed they get a copy of the scanned notes so that they can see our process steps as completed. Yes, they are legible. ;-) We tried using OneNote on a Surface Pro for keeping our checklists and writing digitized notes. But, in the end paper, pens, and pencils are always there. Plus, once scanned are the notes are permanent. Our checklists cover: * ADDS, DNS, DHCP, DFS-N * Exchange * SQL * SharePoint * LoBs - Apps/File/Print * Remote Desktop Services - All Roles + UPDs ** GPO RSS Publishing And so much more. [:-) My Small Business Server experience is absolutely priceless. :-D Have a great weekend everyone! Acronyms * ADDS = Active Directory Domain Services * DNS = Doman Name System * DHCP = Dynamic Host Configuration Protocol * GPO = Group Policy Object * UPD = Remote Desktop User Profile Disk * LoB = Line of Business (apps/services) * OCR = Optical Character Recognition