Event 16653 appeared to RID issue

Hi Folks,

In this post, I would like to share the issue on the Event 16653. It was one of directory services logs that you would come across in Windows Server 2012 Environment.

As you are all know, RID master FSMO role issued a domain with 500 RIDs. When each domain’s RID has slowly exhausted which exceeds to 500, it will contact the RID master to request for the RID.

so, in Windows Server 2012 / R2 environment, the event 16653 will not be appeared as the changes of registry has been made.

event-id-16653

by default, the RIDs can only issue 500 RIDs. however, this value can be modified in the registry so that the AD Administrators can make such a bulk AD object created more than 500.

The Event 16653 will be appeared when the Administrators created more than 15,000 objects. The maximum value that the RID can be issued is 15,000 RIDs.

 

 

Secure Virtual Domain Controller using BitLocker Encryption

Hi, today’s topic is about securing virtual domain controller using BitLocker Encryption.

Virtual domain controller is sometimes at critical risk where the VHD folders can be copied and placed to another. Of course nowadays, by using BitLocker Encryption might be useful and one factor to secure our production environment.

hyper-nomdc

Moreover, the very best friend comes out with BitLocker encryption on more enhancing technology is the Trust Platform Module (TPM) where you can find in the BIOS motherboard itself.

In my lab environment, I run my host hyper-V in my lenovo thinkpad. To secure the virtual domain controller is by enabling the BitLocker Encryption on the host of the virtual machine.

Simple to do:

  1. I enable the TPM / security chip at the bios setup. I am very fortunate the Lenovo has the tools to check. You may download it here. You can here the setting is Active. that’s mean the TPM is enabled.
    tpm-is-active
  2. After that, you need to add features BitLocker encryption at the host hyper-v. you may need to restart the server.
    enable-bitlocker
  3. On control panel, you manage your bitlocker on which volume drive you need to turn on. on the screenshot below, I turn on the bitlocker on my operating system. because the virtual machine folders are located at default. you may relocate your virtual machine folder in different drive and you turn on the bitlocker on the drive that you locate the VM VHD/VHDX files.
    bitcontrolpanel

Reset password of Lost Password Windows Server 2012 / R2

I would like to cover this topic since it is essential and important for the system administrator.

The system administrator should aware that the lost password can be happened at anytime if we manage bulk servers especially the standalone server or non join domain to active directory.

So the step is straight forward and simple.

Step 1: Boot the System using Bootable DVD of Windows Server 2012

Boot the server or your system and insert the Bootable DVD/CD of Windows Server 2012 / R2. Click Next button.

1

then, click the ‘Repair your computer’.

1b

 

Step 2: Run the Command Prompt from Advanced Option.

At the option menu, click the ‘TroubleShoot’ menu.

2

At the Advanced Option, choose Command Prompt.

3

At the Command Prompt,

Step 3: Rename and Copy UtilMan.exe

Rename the old utilman.exe to utilman.exe.old

6

Copy the utilman.exe by running the command

“Copy cmd.exe utilman.exe”

7

after that, close and reboot it.

Step 4: Boot and Press Windows button Keyboard + U at Logon Screen.

While Rebooting the server and let the Windows Logo Appear. After that press the Windows button at your keyboard plus pressing the U.  windowbutton   + U

 

Step 5: Reset the administrator password using Net User Command Prompt.

When you press windows key + U button, the command prompt will be appeared.

then, type the command below

Net User Administrator YourPassw0rd

11

 

Finally,reboot your system and log on using the new password.

Secure Your Infrastructure with Least Privileges

Hi,

I would like to post this topic on securing you infrastructure with some least privileges based on server requirement. Everybody love to make some more easy and full privileges to some extent. but have you cross to your mind to secure your infrastructure.

I believe that by using Windows Environment, Active Directory is the most famous service where system admin like to centralize. I agree with that. And the highest privileges in AD environment are Domain Admins for every child domains and Enterprise Admins for Forest and Child domains.

Of course, in lab environment system admin like to use domain admins and enterprise admin even myself. However, in production zone, I would not suggest to have so much domain users given or attached with those domain admins enterprise admins. It was quite and most scary.

In the attachment, I did summarize some of all privileges based on the services required.

For example, in DHCP Server, in a AD domain environment, you may require Delegation permission to authorize to the AD for first time configuration.. Also, to manage DHCP Server, you can only have DHCP administrators without domain admins.

 

Attachment:

Requirement Privilege Document

Problem: LAPS

Hi,

I am back with similar questions being asked when they install the LAPS.

“Question: Why I still have blank password and expiration set time?”

laps blank password

Answer:

  1. First of all, Computer has to be joined domain. if the computer is not joined domain, you won’t get those two values on that attributes.
  2. Make sure that you don’t manually add the computer account at the active directory. some they claimed that they already join to the domain, but it actually create the computer account manually with the same computer name in it.
  3. LAPS was installed differently with other deployment system.
  4. LAPS was installed manually. some of computers are joined domain, but they were installed manually and unable to connect or communicate with active directory.
  5. I recommend the LAPS installation was deploying the group policy.
  6. The computers are located on different organizational unit (OU). If you have large organization, you might have many computers and other inventory that sometime hard to manage and cascade. So you may not have the LAPS install or the attributes’ value. For example, your computers was at HQ OU in Florida, you have multiple ‘HQ’ OU in New York OU and you also have HQ OU in Florida.LAPS Group policy was configured at HQ OU in New York. This lead you don’t have the password blank
  7. Local Administrator account are misconfigured. By Default, the LAPS will look into built-in account. if you configured in group policy to use specific account, make sure that you create the user account in the client computer.
  8. Make sure you have supported OS platform. Please check the link here https://technet.microsoft.com/en-us/mt227395.aspx.
  9. Please make sure that you have permission to view and proper delegation of users to view the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime. Mostly, domain user would not be able to see this because this confidential attribute only managed by AD administrators.

 

Here is the example screenshot for the software deployment via group policy.

 

group policy LAPS