Great new article that gets into the techie detail of Active Directory domain join permissions https://t.co/ms0ohDXslM

"Kerb3961", named after RFC3961, is a refactor of the Kerberos cryptography engine in its own library in Server 2025 and Win 11 24H2. Great blog post by Will Aftring that will get you up to speed quickly:

BadSuccessor is a new AD attack primitive that abuses dMSAs, allowing an attacker who can modify or create a dMSA to escalate privileges and take over the forest. Check out @JimSycurity's latest blog post to understand how you can mitigate risk.

Useful post for anyone tasked with reviewing the windows audit policy: "A Data-Driven Approach to Windows Advanced Audit Policy – What to Enable and Why" by Nasreddine Bencherchali https://t.co/JUCNaBJa6P

Microsoft have issued a 'consider disabling this service' recommendation which affects Active Directory: "We're advising all enterprise customers who have deployed Windows Server OS (Windows Server 2016, Windows Server 2019, Windows Server 2022, and all intermediate releases

Here's a quirky (but sensible) one to be aware of for troubleshooting in-house apps that use AD: With AD on server 2025 the default is to only allow LDAP to add, search, and modify operations that involve confidential attributes WHEN THE CONNECTION IS ENCRYPTED. More changes

🍿20 minute video to get caught up on the server 2025 active directory security features:

If you need to simulate the windows domain controller locator API (DSGETDCNAME) on a client to see which DC they would be talking to, or which site they believe they are in, use nltest: nltest /dsgetdc:yourdomain.local

We know that "ipconfig /displaydns" can be used to inspect the DNS cache on a windows client It's especially useful for AD troubleshooting though. Example: we can understand why a client might still be talking to a DC that was moved to a new site. You can see that this guy

If you need to pinpoint which DC made the change to an AD object/attribute you can use: repadmin /showobjmeta dcname objectDN It's a handy place to start; then go inspect the event logs for that DC to get more detail on whatever you're trying to find out.

An interesting approach a customer showed me was to take that further, manually, on all servers. Keep a 1GB file on the disk for a similar unlikely emergency; remove it if you miss (ignore) whatever alerting you have going off and then fix the problem whichever way you see fit.

AD uses "res" (reserved space) files: edbres00001.jrs & edbres00002.jrs to deliberately take space on the disk in case it unexpectantly fills up. AD can delete the res files in an emergency, free the little bit of space and safely commit transactions in flight to disk.

OPINION + METHODS: ACTIVE DIRECTORY MIGRATION+ CHECKLISTS! ON PAPER! Prepping for a cut-over is never complete ... at least it seems that way. We have extensive migration check lists that we've built since my BackOffice Small Business Server (NT 4/4.5) days. Yeah, things have

The "Branch Office Deployment Guide" was gold for learning active directory. Step by Step docs to build a complex lab and replication topology including things that you might not see in many AD environments. Its gone now. But there is a backup here: https://t.co/mU3uhCoxhl

SharpADWS: Active Directory reconnaissance and exploitation for Red Teams

Here is a new custom administrative template (ADMX) for editing and auditing Microsoft Defender Attack Surface Reduction (ASR) policies, without being exposed to the rule GUIDs. https://t.co/3FQIYvjh4s

Together with @pavelfor, we have created the ultimate guide and tooling for configuring host-based firewalls on #ActiveDirectory domain controllers in enterprise environments. Blocks most remote command execution and authentication coercion techniques. https://t.co/85V30HTlMB

Domain Password Spray from a NON Domain joined box (doesn't matter if Win or Lin) what do you use?