Updates from October, 2015 Toggle Comment Threads | Keyboard Shortcuts

  • markparris 11:58 pm on October 16, 2015 Permalink | Reply
    Tags: , , Hybrid Identity,   

    RIP – MVP: Directory Services 

    Last week Microsoft announced some radical changes to the Microsoft MVP program

    Steve Guggenheimer: Moving into the next generation of the Microsoft MVP Award
    MVP Website: Award Update – Oct 2015

    In summary (there are a few exceptions), MVP’s have been categorised under one of ten new headings. Directory Services now comes under the categorisation of Enterprise Mobility, therefore I am now an MVP for Enterprise mobility.

    My initial thought was, Enterprise Mobility? I don’t do telephony

    I soon realised Microsoft’s logic in their categorisations, enterprise mobility is not all about mobile telephones and the utilisation of various parts of the radio spectrum, it is in fact about being able to access your enterprise from anywhere and on any device and identity is a key component of Microsoft’s enterprise mobility strategy.

    In an on-premises world the de facto enterprise identity solution is Active Directory (Directory Services) and in the Microsoft cloud it is Microsoft Azure Active Directory. The term hybrid identity is the fusing of the two methods of identity together to create a seamless identity solution be it on-premises or in the cloud.

    As I delve deeper into the deeper corners of Microsoft identity, I will share my story to this blog and unlike the 15 year old teenager that is Active Directory, not everything that can be written about the Azure Active Directory and Hybrid Identity has been written yet.

  • markparris 5:04 pm on July 3, 2015 Permalink | Reply
    Tags: , ,   

    Directory Services: MVP Renewed. 

    I am once again honoured to be a recipient of the Microsoft MVP award for Directory Services.

    Since first becoming an MVP in 2009, the Directory Services designation has evolved to cover many complimentary technologies and solutions in both on-premises and cloud solutions, such as traditional Active Directory to Azure Active Directory.  Microsoft’s rate of innovation and change within the Azure space alone is phenomenal and shows no sign of abating and  whilst these new technologies are exciting they have to be learnt and understood in order to implement and support the adoption of these new technologies.

    The book I am currently reading “Rookie Smarts” by Liz Wiseman highlights an interesting research analysis, in the book Liz states that.

    Knowledge decay in the 1970’s was 10% per annum” but “In 2005 it was estimated that knowledge becomes obsolete at 15% per year, but in high tech this is as much as 30%.   If information doubles every 9 months and decays at 30% a year; within 5 years, only 15% of your knowledge will be relevant”.

    If I want to keep being awarded the MVP designation, it’s obvious (well to me anyway) that I need to keep up with the technology (as well as supporting the community), else my skills will soon be as relevant as my MCSE in NT 3.51.

  • markparris 5:02 pm on March 30, 2015 Permalink | Reply
    Tags: , ,   

    The hidden benefit of hacking your own Active Directory? 

    This summary stems from a brief conversation within a peer circle. A parallax perspective on the issue of passwords. 

    Most IT organisations have an IT Security policy, which defines the required password parameters for an organisation.  Active Directory provides a method to enforce the password parameters, from their complexity and length to the frequency that they must be changed. 

    Once a company’s password policy is understood and required parameters are known, internally bad practice can set in and this is not necessarily limited to the end users, IT can equally be at fault.  For example the service desk may create all new user or service accounts with the same common password.  Password1234$$ or Welcome2015! 

    So what has this got to do with hacking your own Active Directory? 

    Using one of the numerous Active Directory password cracking tools on the internet, you can analyse (crack the easy ones) the passwords stored in Active Directory and produce a list of the most common passwords.

    These common passwords can then be cross referenced to their owners and with a little bit of mathematics, it is possible to deduce that perhaps with 10 passwords, 70 % of all systems can be accessed, not only is this a rather frightening metric, but this is reality and one attack vector for anyone with access to a domain controller. 

    This is not a simple problem to fix with the current architecture of Active Directory, but with small process changes and education around the use of common passwords the percentage of systems that could be accessed or compromised may be reduced. 


    • robsilver 10:58 pm on March 30, 2015 Permalink | Reply

      Let’s not even talk about Service Accounts, Stale Accounts, Bulk or Shared Accounts. Then BYOD and Enterprise internet via WiFi on a Corp Network to keep the CxOs happy…


  • markparris 9:26 pm on November 9, 2014 Permalink | Reply
    Tags: , , ,   

    Active Directory: What to learn next? 

    The Microsoft MVP summit was held last week (3rd – 7th November) in Redmond, where I had the good fortune to spend the week with members of various Microsoft product teams that are responsible for what we commonly know as Active Directory.  I can genuinely say that in technology terms I have not been this interested in the future of Windows since I did my first Windows Server 2000 course (MOC 1561) back  in 1999.

    The MVP Summit content is mostly under NDA and I have always respected the NDA and with this in mind all I will say is that over the next few months I will be reading and learning as much as I can on the following areas of Microsoft technology.

    Azure Active Directory

    Azure Active Directory Sync Services

    Azure Rights Management

    Windows 10

    I would also recommend that you start to start to think about the concept of Active Directory being an identity provider and that in the future it will all be about managing identities and not solely about managing the technologies that deliver them.

    Food for thought, think about what type of identities your business will support, business only or perhaps personal too? What is an identity? What is a personal identity? Who owns the identity?  (I will follow up on this concept with another post).

  • markparris 5:54 pm on July 31, 2014 Permalink | Reply
    Tags: , , Windows Server   

    Active Directory: A user cannot be in more than 1015 groups. 

    In any Microsoft Active Directory forest, a user can only a member of 1024 groups but after allowing for up to 9 well known SIDS this number is actually 1015.
    See KB http://support.microsoft.com/kb/328889

    If a user exceeds the hard limit of 1015 group memberships they probably will not be able to logon.

    • What do you do to rectify the issue?
    • How do you find out what changed and caused a tipping point?

    A quick visual method to see a user’s nested group memberships expanded, is to run the command:

    dsget user “CN=Mark Parris,OU=Administration,DC=clickclicknext,DC=com” -memberof -expand

    If this command returns a short list of groups then the membership of too many groups is probably not an issue, but if the command returns a scrolling list of group memberships then we need to utilise NTDSUTIL. NTDSUTIL has within it a command that you may not even know is there, unless you have this specific issue.

    The command is group membership evaluation

    At an elevated command prompt.



    group membership evaluation

    set account DC nameOfDC

    set global catalog nameOfDC

    set resource dc nameOfDC

    run clickclicknext.com mark.parris

    clickclicknext.com is the fqdn of your domain and mark.parris is the username.

    The output of this command is a .tsv file and will be found in the path of the prompt (run it from C:\Temp it will be in C:\Temp), this file can be renamed to a .csv.
    The report produces a lot of interesting information in a tabular format.

    The report will have these column headings.

    SID in token
    SID type
    SID History Count
    Distinguished Name
    Active Directory Domain Controller Queried
    Group Owner
    Group Owner SID
    WhenCreated (UTC)
    WhenChanged (UTC)
    Member WhenChanged (UTC)
    GroupType WhenChanged (UTC)
    One Level MemberOf Count
    Total MemberOf Count
    Group Type
    Depth From User
    Closest Parent OU

    From the column heading, there are specific columns with timestamps, if these are then sorted upon, it will tell you what group or groups were modified most recently, these changes then need to be understood and reversed or perhaps other legacy group memberships identified and removed.



    As I review and update my old consulting notes I have decided to publishing them.
    These are by no means definitive and are intended as an ‘aide memoire’.

    Comments welcome.

    Associated Post: MaxTokenSize – Change of recommendation from Microsoft




  • markparris 7:31 am on July 31, 2014 Permalink | Reply
    Tags: , , , , Forest Upgrade   

    Active Directory: Disaster Recovery (Recap) 

    In preparation for the Active Directory forest to be upgraded (to Windows Server 2012 R2), it may be prudent to re-evaluate Active Directory disaster recovery plans.

    Active Directory if configured correctly will just sit there and work; servicing all requests that are presented and because of this robustness, its importance is often overlooked and its criticality not understood.

    Management buy in.

    The most critical component in the disaster recovery plan, is the education of management and key stakeholders in the criticality of Active Directory to the business. No Active Directory can mean, no authentication; no authorisation; no name resolution or no printing;  effectively the IT function may cease to operate until the Active Directory is restored or made available.

    Plan and approach.

    Define what Active Directory recovery scenarios that are being catered for, is it total loss of the Active Directory or the loss of objects within the Active Directory?

    Agree with the business and calculate realistic Recovery Point Objectives (RPO’s) and Recovery Time Objective (RTO’s) for Active Directory.

    RPO – this is the point where you have to recover to (or the amount of information you can afford to lose).

    RTO – this is the time you have to recover the environment back to the RPO.

    Choose your method of backup

    When if actually comes to backing up Active Directory, technical insight is needed to understand the scenarios that are being protect against.  Ensure that each scenario is catered for so that Active Directory can be recovered.

    Domain/Forest Recovery.

    In a worst case scenario it would mean restoring a single domain controller from backup and then rebuilding all the existing domain controllers to be domain controllers to this restored domain.

    This could be a logistical nightmare to perform and orchestrate.

    Object Recovery

    This would usually mean restoring a domain controller from backup and then marking the object(s) that are to be recovered as authoritative.

    Active Directory Recycle Bin.

    The Active Directory Recycle Bin provides a certain degree of insurance in protecting Active Directory, but it will only enable the recovery of deleted items and not for example the recovery of modified users or groups. All domain controllers must be running at a minimum Windows Server 2008 R2 and the forest mode is Windows Server 2008 R2.


    All of the well-known backup providers support the backing up of Active Directory, a key component of backing up the AD is that it is not only the Operating System that needs to be backed up, but the entire system state, which includes all the underlying  components of the Operating System and Active Directory.

    Quest Recovery Manager for Active Directory – Forest Edition.

    The only tool I have found on the market that provides Active Directory Disaster Recovery from a single pane of glass, it enables recovery from a single attribute to a full forest recovery.

    Recovery Manager for Active Directory

    Test your processes

    Whatever process or method you take to back up your Active Directory, ensure that you are confident and able to recovery your Active Directory not only in the time required, but also physically able to do so.

    As I review and update my old consulting notes I have decided to publishing them. These are by no means definitive and are intended as an ‘aide memoire’ to enable discussion.
    Please feel free to comment.

    • chrisfinegold 9:35 am on September 15, 2014 Permalink | Reply

      I agree!!! It is important to evaluate your disaster recovery plan time to time for more safety and avoid any type of hassle. Plan B Disaster is providing robust and reliable disaster recovery solution to numerous IT industries. Get their services to safeguard your important information and network from positional damage.


  • markparris 8:18 am on March 20, 2014 Permalink | Reply
    Tags: , Active Directory experts, , , Microsoft Active Directory Integration Experts   

    Top 6 (Independent) Microsoft Active Directory Integration Experts to Follow 

    Blatant self-promotion, but I wanted to share a blog post from OneLogin that gives their list of top Active Directory experts (including me) and our top tips on “What you should never do when working with Active Directory“.

    Top 6 (Independent) Microsoft Active Directory Integration Experts to Follow


    Does anyone else have any other “No No’s” they would like to share?

    • Raheem 9:27 pm on March 20, 2014 Permalink | Reply

      Congrats mate and your tip around sites / services and never stop learning made me chuckle based on our regular chats!


Compose new post
Next post/Next comment
Previous post/Previous comment
Show/Hide comments
Go to top
Go to login
Show/Hide help
shift + esc

Get every new post delivered to your Inbox.

Join 1,483 other followers

%d bloggers like this: