Ryan Bolger's questions

In the past, I've been in a situation troubleshooting the dynamic registration of AD specific DNS records from domain controllers against a 3rd party DNS server. As far as I'm aware, the netlogon service is responsible for these registrations and does a full pass each time it is started and on some regular interval (once an hour?).

So if I don't want to wait for the regular interval and I'd rather not restart the netlogon service (or reboot the DC), is there any other way to coerce netlogon into re-registering these records?

ipconfig /registerdns works for the DC's own A/PTR records. But I need a similar method for the rest of the AD SRV/A/CNAME records.

The closest thing I found in my web searching was this blog post which talks about netdiag /fix. But apparently the netdiag utility no longer exists and the post implies that it would only re-register things that are missing. I've also tried various combinations of dcdiag /fix with no luck.

With MIT Kerberos, the kadmin utility supports the creation of principals that have an explicit maximum ticket lifetime and renewal lifetime (-maxlife and -maxrenewlife arguments for add_principal) which may be different than the realm's default ticket lifetime and renewal lifetime. So if your realm has a default lifetime of 24 hours and renewal lifetime of 7 days, a given principal could be 1 hour and 1 day respectively.

I'm trying to figure out whether Active Directory's Kerberos implementation supports the same thing. My gut says no, but I'm having a hard time definitively proving it other than not being able to find any obvious attributes on an account that might enable that ability.

Can anyone confirm or deny my gut answer?

With Microsoft security bulletin MS14-025, GPMC and related tools are now patched to no longer allow the use of configuration items within Group Policy Prefs that would embed obfuscated passwords. The bulletin references KB256345 as workaround using the "legacy" method of configuring Windows Services using Group Policy. But as far as I know, that method only allows you to set the security ACLs on the service (and it's startup type)...not the account the service runs as. I'd love to be proven wrong though.

What other ways exist to configure a service to run as a particular domain service account using group policy? We can't just start touching all of these machines by hand to configure the service. Assume for the moment that we have no other Windows based configuration management tools to use and we're stuck with group policy and whatever other built-in tools are available like Powershell.

For the time being in our environment, we've simply blocked the patch in WSUS. But I'm looking for a long term solution. The passwords we're configuring in this manner are all low privilege accounts that don't matter if their passwords are compromised.

Is there perhaps a solution utilizing managed service accounts? Should we come up with some sort of powershell based solution that runs at startup? The GPOs we're using apply to groups of computers that don't all have the service installed. So ideally, this solution won't start spamming the event log with group policy errors

So the release of Windows Server 2012 has removed a lot of the old Remote Desktop related configuration utilities. In particular, there is no more Remote Desktop Session Host Configuration utility that gave you access to the RDP-Tcp properties dialog that let you configure a custom certificate for the RDSH to use. In its place is a nice new consolidated GUI that is part of the overall "edit deployment properties" workflow in the new Server Manager. The catch is that you only get access to that workflow if you have the Remote Desktop Services role installed (as far as I can tell).

This seems like a bit of an oversight on Microsoft's part. How can we configure a custom SSL certificate for RDP on Windows Server 2012 when it's running in the default Remote Administration mode without needlessly installing the Remote Desktop Services role?

I'm in the process of putting together a VDI solution for some managed desktops using ESX. I know that I could create a VM template and just create new guests from that template. But if I understand things correctly, that would essentially make a copy of the template's virtual disk for each guest. So my total disk space need would roughly be the size of the template disk multipled by the total number of guests I intend to create.

However, all of these guests are going to be identical. They'll also be set to Nonpersistent so that changes will be reverted automatically when users disconnect. I'm wondering if it's possible to instead have all of the guests use the template disk simultaneously while keeping their own "delta" disk for changes until it's reverted.

It seems like it should be possible since no one needs to write to the master disk. Disk performance might even be better since the common OS bits on the vDisk would be cached.

I've applied the new KB973869 hotfix multiple times on my x64 2003 and XP systems and Windows Update keeps saying it needs to be re-applied. What's going on?

Our Microsoft volume licensing site was recently updated to include our Windows 7 and Server 2008 R2 KMS keys. We have an existing KMS server running on Server 2008 (not R2). In an attempt to be proactive about supporting the new OSes in our environment, I unregistered the old KMS key with slmgr.vbs and tried registering the new key. The registration failed with Error 0xC004F050. The description for that error was "The Software Licensing Service reported that the product key is invalid."

What's wrong? I've checked and double checked that for typos against what is listed on the Volume Licensing website.

I'd like to do some network testing on Windows using Iperf. The latest on sourceforge appears to be 2.0.4. However, it's only available as source to be compiled. I attempted to do some google searching for a pre-compiled version, but all I could find were some links to 1.x stuff.

Admittedly, the 1.x version I found does seem to work and I could likely continue using it without issue. But I've got the itch that says I need the latest version and setting up a build VM and dealing with inevitable compile issues doesn't sound like a whole lot of fun. So I figured I'd ask here if anyone knows where to find pre-compiled Iperf 2.x binaries for Windows.