Archive for March, 2019

This might be very useful for certain situations where you want to update a user’s or computer’s group membership without the need to re-logon / restart. The whole magic is behind the issued kerberos tickets after you logged on to a machine or a machine has been started. The tool “klist.exe” cannot only be used for troubleshooting to display the current issued TGT / TGS, it is also capable to purge all current tickets. The purge command results in a re-issuance of the tickets, as soon as the next auth or service request is taking place.

Keep in mind that this method only works for services which authenticate via Kerberos.

NTLM based authentication still requires a fresh logon with updated group membership token.

To purge a user’s tickets: klist purge

To purge tickets of the local system account: Start a cmd or PoSH session with elevated privileges: klist -li 0:0x3e7 purge

klist is a tool that has been included by default since Vista/Server 2008 and above.

If you have a old version of Windows then you’re required to download klist here:

Be aware then the 2003/XP version of klist does not support purging directly the system accoun’s tickets. You can use psexec from sysinternals to launch an interactive command line as the system account (psexec -s -i cmd.exe) and then execute klist purge)

To generally control the lifetime of Kerberos tickets consider the following article:


NDES is the Microsoft Implementation of SCEP:

NDES installation and operations:


(NDES) Frequently Asked Questions (FAQ):


Configuring Network Device Enrollment Service for Windows Server 2008 with Custom Certificates:


NDES enrollment process:

1) Generate a key pair and install it on your device by using procedures provided by your device vendor.

2) Request a password by using the NDES admin site. The default URL is http://<computer_name>/certsrv/mscep_admin.

3) Establish trust between the device and the CA by downloading the CA certificate using the GetCACert operation and procedures provided by your device vendor. The default NDES URL for calling GetCACert is http://<computer_name>/certsrv/mscep?operation=getcacert&message=.

4) Submit the password and certificate request from the device to NDES by using procedures provided by your vendor.

5) NDES uses the request from the device to generate a certificate request and submit it to the configured CA.

6) If NDES certificate requests do not require certificate manager approval, the certificate is immediately returned to the device as part of the NDES response message.

7) If NDES certificate requests require certificate manager approval, the certificate request is held on the CA until it is reviewed by a certificate manager. Check the request status from the device using procedures provided by your vendor until NDES responds with the certificate.

Apple iPads and NDES:

1) The device connects to a deployment wireless network (isolated) while connected via USB to the Mobile Device Management Software (MDM). In this example, the IPad is connected to the Iphone Configuration Utility.

2) The device Administrator connects to the Network Device Enrollment Service (NDES) to obtain a temporary password which is entered in the Mobile Device Management (MDM) as the device’s profile.

3) The Mobile Device Management (MDM) software pushes the profile configuration to the device.

4) The device creates the private/public pair key and sends a request to the Network Device Enrollment Service (NDES)to request a certificate

5) The Network Device Enrollment Service (NDES) sends an RA request to the Certification Authority (CA)

6) The Certification Authority (CA) sends the certificate to the Network Device Enrollment Service (NDES)

7) The Network Device Enrollment Service (NDES) sends the certificate to Device which in turn installs it

8) The Device connects to the corporate network using 802.1X

NDES Operations 101:

– On the Ndes server verify if IIS is running and if NDES application pool is started

– backup IIS and export the HKLM\software\microsoft\cryptography\NDES registry key

– on the Ndes server, on Certificate Computer Store, check if the RA certificates has not been expired (else renew NDES Service Certificates):

Configuring NDES with custom certificates:


– verify if the issuing CA is responding

Collection of Web resources about dig usage:

Download dig (part of Bind):

Some commands:

What is the website’s IP address ?

dig +short

How to identify the name servers associated with a domain ?

dig NS +short

What does the delegation path to my zone look like ?

dig +trace

Which Mail Server is responsible for a domain ?

dig MX

Which value is in cache in a given resolver ?

dig @

Which domain name is this IP associated with ?

dig +short -x

Which are the name servers of a TLD ?

dig +short NS nl.

When will the cache of an answer expire ?

dig +noall +answer

Is the zone synchronized to all my NS ?

dig +nssearch

Is a zone existing on this name server ?

dig SOA

Using Dig to Retrieve Different Record Types?

dig srv

How to Troubleshoot Active Directory Replication Issues

In the previous article:

we explained all the methodology to troubleshoot AD replication:

This second article will deep dive with the most well known and out of the box AD utility called REPADMIN.exe

This utility recommended to run as Domain Administrator or Enterprise Administrator.

repadmin /replsummary /bydest

above command summarizes the replication status for all domain controllers based on the replication destination. This parameter does not display the source domain controller.

repadmin /replsummary /bysrc

above command summarizes the replication status for all domain controllers based on the replication source. This parameter does not display the destination domain controller.

repadmin /showrepl

above command shows the replication partners for serverdc1.mydomain.comand the status of last sync attempt.

repadmin /showrepl /errorsonly

above command will list down the replication partners which have replication errors (last sync attempt failed)

we also can view results in CSV format.

repadmin /showrepl /csv

repadmin /syncall serverdc1 dc=mydomain,dc=com

above command initiates domain directory partition synchronization with all replication partners of serverdc1.

It will also indicate if there were any issues by doing it.

repadmin /queue

above command shows if there are any unprocessed inbound replications requests. If system keep que requests it can be due to high number of AD changes, System resource issue or too many replication partners.

repadmin /showchanges serverpdc1 e4f89917-5fff-40a8-scc2-b148b60d9359 dc=mydomain,dc=com

above command list down the changes which are not replicated between server serverpdc1 and serverdc1. In here serverdc1 is the source server and it is listed with object GUID.
repadmin /replicate serverdc1 serverpdc1 dc=mydomain,dc=com

above command initiate immediate directory partition replication from serverpdc1 to serverdc1.

Apart from the repadmin, there are certain PowerShell cmdlets which we can use to troubleshoot replication issues. Get-ADReplicationFailure cmdlet is one of those which can collect data about replication failures.

Get-ADReplicationFailure -Target serverdc1

Above command will collect information about replication failures associated with serverdc1.
This also can do with multiple servers.

Get-ADReplicationFailure -Target serverdc1,serverpdc1

Further we can target all the domain controllers in the domain.

Get-ADReplicationFailure -Target “” -Scope Domain

Or even entire forest

Get-ADReplicationFailure -Target “” -Scope Forest

Get-ADReplicationConnection cmdlet can list down replication partner details for the given domain controller.

Get-ADReplicationConnection -Filter *

Above command will list down all replication connection for the domain controller you logged in.

We also can filter the replication connections based on the attributes.

Get-ADReplicationConnection -Filter {ReplicateToDirectoryServer -eq “serverdc1”}

Above command will list down the replication connections with destination server as serverdc1.
We also can force sync object between domain controllers.

Sync-ADObject -object “foo” -source serverdc1 -destination serverpdc1

Above command will sync user object foo from serverdc1 to serverpdc1

Best practices for DNS forwarding:

To create a conditional forwarder zone in powershell:

read this reference doc:


To create a conditional forwarder zone (stored in the registry of the DNS Server):

Add-DnsServerConditionalForwarderZone -Name “” -MasterServers 2001:4898:7020:f100:458f:e6a2:fcaf:698c, -PassThru

ZoneName                            ZoneType        IsAutoCreated   IsDsIntegrated  IsReverseLookupZone  IsSigned

——–                            ——–        ————-   ————–  ——————-  ——–                         Forwarder       False           False           False


This command creates an Active Directory-integrated conditional forwarder zone for

Add-DnsServerConditionalForwarderZone -Name “” -ReplicationScope “Forest” -MasterServers 2001:4898:7020:f100:458f:e6a2:fcaf:698c,


To change an existing conditional forwarder zone, use the cmdlet:


Good articles to explain the differences and how to merge the S&C Sensitivity labels and AIP labels,


MS technet:

S&C labels:

AIP labels:

Azure Cloud shell



On first launch Cloud Shell prompts to create a resource group, storage account, and Azure Files share on your behalf. This is a one-time step and will be automatically attached for all sessions. A single file share can be mapped and will be used by both Bash and PowerShell in Cloud Shell.

Read more to learn how to mount a new or existing storage account.

  • Cloud Shell runs on a temporary host provided on a per-session, per-user basis
  • Cloud Shell times out after 20 minutes without interactive activity
  • Cloud Shell requires an Azure file share to be mounted
  • Cloud Shell uses the same Azure file share for both Bash and PowerShell
  • Cloud Shell is assigned one machine per user account
  • Cloud Shell persists $HOME using a 5-GB image held in your file share
  • Permissions are set as a regular Linux user in Bash

Learn more about features in Bash in Cloud Shell and PowerShell in Cloud Shell.

Azure cloud shell limitations:



How to access Azure cloud shell from Visual Studio Code ?

On a windows computer

Install VS code:

then install NodeJS:

then on VS Code install the extension “Azure Account



Azure DevOps

Azure DevOps Services provides development collaboration tools including high-performance pipelines, free private Git repositories, configurable Kanban boards, and extensive automated and continuous testing capabilities. For the on-premises platform, Azure DevOps Server (previously named Visual Studio Team Foundation Server), see Azure DevOps Server Documentation.

Main portal:

Azure devOps and AzureAD groups (security of O365groups):


Devops and identities management: